Halkyn Security Bloghttp://www.halkynconsulting.co.uk/a
Specialist Security & Risk Management ConsultantsMon, 15 Jan 2018 14:29:40 +0000en-GBhourly1141257429Memory analysis in incident response – never leave home without ithttp://www.halkynconsulting.co.uk/a/2018/01/memory-analysis-dfir/
Mon, 15 Jan 2018 13:00:08 +0000http://www.halkynconsulting.co.uk/a/?p=1647Incident response is often a stressful, high-pressure situation. Responders are desperately trying to claw together information. All around them the world is collapsing. Furthermore, everything important seems to be deleted or obfuscated. Yet it is not all doom and gloom. They have memory analysis. Life can be hard for the incident responder. You are faced […]

Incident response is often a stressful, high-pressure situation. Responders are desperately trying to claw together information. All around them the world is collapsing. Furthermore, everything important seems to be deleted or obfuscated. Yet it is not all doom and gloom. They have memory analysis.

Life can be hard for the incident responder. You are faced with malware and/or attacker tools, often heavily disguised. Attackers pack & obfuscate malware to avoid AV. Memory resident attacks can execute without ever touching a disk. Even when you think you’ve won, you discover the attackers are back in again. It can be demoralising.

Memory analysis can help you escape this nightmare cycle.

What do we mean by memory analysis?

Memory analysis supports incident response in ways people never consider

At a very high level, we mean collecting RAM from a machine in support of incident response. This can come in many forms.

Computer memory can be thought of as the space your computer uses to do things. This is where things like the screen you see on login reside. You open a new application, it is loaded into memory. For Windows users, if you open Task Manager, that list of running processes are all in memory. Also increasing memory is a fast way to really boost performance.

Memory is really important. This is just as true for the investigator. Because of what it holds, memory analysis can be very revealing.

The most striking demonstration is in hunting malware.

Crafty attackers change their code to avoid detection. They encrypt payloads to fool monitoring. They armour their attacks to make life harder for reverse engineers. All of this can be very effective and it makes life hard for responders.

However, in memory, things are very different. Malware in RAM is exposed. It has to run, so it has to be readable. As a result of this, memory analysis can give a clear insight into attacks. For most investigations, this makes a significant difference.

Some problems

However, it isn’t simple perfection. As you might imagine, memory analysis has its own problems.

Memory Analysis vs Reboot

First of all, memory is volatile. This means it changes and when the system loses power, memory is often gone. Often but not always. In incident response, one of the first things you should do is capture the memory. Even if you later don’t need it. If you don’t grab it at the start, you may never get it.

Sometimes you don’t have any choices here. Often, troubleshooting involves a power cycle. People who panic may pull the power cord. All of this goes towards flushing volatile memory. Consequently, investigators get cold, dead, computers to analyse. Yet, despite this, there are still opportunities (hiberfil.sys/pagefile.sys). More on this in a future post.

Another issue is memory can be big. Modern computers often have at least 8GB of ram. If you are looking at servers then 32GB and upwards is normal. This is great for performance. Because of this size, however, memory capture can be slow. It can frequently take over an hour to capture RAM. This might sound trivial but during that time, the RAM will have changed a lot. The volatile nature can be a nightmare for unsuspecting investigators.

Memory analysis solutions

Above all, good incident response processes help. Have the right tools available to capture memory. Make sure captures start first. Make sure there are good records. All of this works towards mitigating problems.

There are lots of memory collection tools. Rather than think “TOOL X” is the best, try them all. Find the one which fits with your workflow the best. Then learn its strengths and weaknesses.

Memory Analysis Needs Tooling

When it comes to analysis itself, there are two main tools to consider.

First of all, Volatility is one of the best-known tools. Every responder should have at least a basic understanding of how to use this. It is free, open source and cross-platform. Volatility is written in Python, making it easy to extend. One of the best things is the sheer range of community plugins available.

The second tool you should look at is Rekall. In some respects, this is more polished but right now it has fewer plugins. Rekall can be faster with new operating systems and integrates well with IR tools.

Finally, out of the main tools, is Redline. This is a free product provided by Mandiant. Unlike the other two, this is a fully GUI tool. Redline provides an easy to use interface at the cost of some flexibility.

Just like with collection, never feel you have to pick one tool over others. Practice them all. Then use them all. Learn how the results from one tool lead to the next. Most of all, become proficient at using the right tool for the right task.

A good example is to use Redline first – giving you high-level insights. Then use Volatility to drill into details.

Memory Analysis – Volatility Plugins

Finally, as mentioned, the strength of Volatility is the community plugins. To this end, on Taz Wake’s GitHub pages we will be releasing IR plugins for everyone to use/ adapt/develop. Feedback is always welcome.

]]>1647Christmas – Seasonal Shutdownhttp://www.halkynconsulting.co.uk/a/2017/12/christmas-seasonal-shutdown/
Thu, 21 Dec 2017 09:00:28 +0000http://www.halkynconsulting.co.uk/a/?p=1637Merry Christmas Halkyn Consulting will enter its Christmas shut down period on Friday 22 Dec. We remain closed to new business until Tuesday, 2 Jan 2018. As always, existing customers can still engage us through the normal means. So all that remains now is for us to wish all of you a Happy Solstice, Merry […]

Halkyn Consulting will enter its Christmas shut down period on Friday 22 Dec. We remain closed to new business until Tuesday, 2 Jan 2018. As always, existing customers can still engage us through the normal means.

So all that remains now is for us to wish all of you a Happy Solstice, Merry Christmas and a Happy New Year. We look forward to working with you in 2018. Stay secure.

]]>1637Checklist or your memory, is one better?http://www.halkynconsulting.co.uk/a/2017/12/memory-checklist/
Sat, 09 Dec 2017 23:40:44 +0000http://www.halkynconsulting.co.uk/a/?p=1606Quite rightly, security professionals are proud of how much information they hold in their heads. There is no doubt that to be effective you need to have immediate access to lots of different concepts. However, the really effective ones also have a checklist. First off – the problem. Lots of certificate exams are memory tests and […]

Quite rightly, security professionals are proud of how much information they hold in their heads. There is no doubt that to be effective you need to have immediate access to lots of different concepts. However, the really effective ones also have a checklist.

First off – the problem. Lots of certificate exams are memory tests and lots of hiring managers believe tests “under pressure” show value. But really this is just a test of how much information you can hold for a short period of time. This is great if you are sitting a closed-book exam. It is also why boot camps work. Now ask yourself – is hearing something & remembering it long enough to answer an exam question a good thing? In practice, to be good at your job you just need to know what you have to look up and be able to look it up quickly. Having a checklist is a definite win.

Checklist vs You?

The next issue is simply ego. We believe we know security so having to stop and follow a guide is somehow embarrassing. Everyone has confidence issues and when we see other people reciting things from memory (for example, dropping into conversation that ISO27001 Annexe A, 9.3 is User Responsibilities), it can be daunting.

Here, the simple thing is to realise it is irrelevant. If someone has memorised Annex A, the CSA CCM, NIST SP800-53 or whatever, be pleased for them but it may help less than you think.

Other than a tiny percentage of people who are truly able to memorise and recall on demand, most people actually remember less than they think. They may truly believe they have memorised Annex A and, if they are good, they will be right 90% of the time.

And there is the point. They will be wrong 10% of the time. This may not matter (getting 9.3 and 9.4 mixed up isn’t really a life or death issue) but when it is important, you need a checklist.

Rather than say “you aren’t good enough to memorise (whatever)”, using a checklist says you are professional enough to realise that it is IMPORTANT that nothing gets overlooked. You realise it is IMPORTANT that every step gets followed. There is a reason why experienced pilots still go through a checklist before every flight.

When do I need a checklist?

So, the simple answer to this difficult question is – whenever it is important that every step is followed or every option is considered. Only you can be the judge of that, but try to avoid letting your ego take over and decide “hey, a true professional would know to do it this way.”

The main examples we recommend checklists are for:

Incident Response. Here the importance is to make sure the right steps happen in the right sequence, every time, in a high-stress situation. Every collection must be forensically sound and every analysis must be methodological. This is crying out for a checklist response.

Audit and Assessment. Different importance. Now, this isn’t about the stress it’s about dealing with tedium. Every audit must be repeatable and follow the exact correct steps. You can’t miss anything out and you need to deal with the fact that as you get bored, your mind wanders. Following a checklist can save you. An example of this is the ISO27001 self-assessment checklist we provide.

There will be lots of other situations – some of which you will need to decide for your organisation. Sadly we don’t have a checklist for “situations where you need a checklist”.

Whatever you do, don’t let your ego force you to try to remember things when you don’t need to. Save your brain power to think of innovative solutions to problems and use the checklist to manage your back-end processes.

]]>1606Threat Hunting – essential for every businesshttp://www.halkynconsulting.co.uk/a/2017/09/threat-hunting-essential-every-business/
Tue, 12 Sep 2017 19:17:32 +0000http://www.halkynconsulting.co.uk/a/?p=1570Lots of articles, blog posts and webcasts talk about threat hunting. Despite this few, if any, organisations do it. This is a mistake. Security hit the headlines again recently, when Equifax admitted to a breach exposing around 143 million records of personal data. While details are still emerging, it looks like the attackers compromised an […]

Lots of articles, blog posts and webcasts talk about threat hunting. Despite this few, if any, organisations do it. This is a mistake.

Security hit the headlines again recently, when Equifax admitted to a breach exposing around 143 million records of personal data. While details are still emerging, it looks like the attackers compromised an external website and exfiltrated the data. There are no specifics on the attack yet but it takes time to copy out that much data1. Good threat hunting uses this time to detect attackers. This would have allowed Equifax to implement countermeasures to minimise the breach2.

Any organisation can threat hunt. Threat hunting uses your existing security controls to identify attackers before they can destroy your business. It doesn’t replace anything. You cant use it to replace your AV or firewalls, no matter what vendors say. Hunting doesn’t mean you can get rid of your incident response teams.

Every organisation should hunt threats on their network. You don’t need to buy anything new and you can do it with your own staff. This post gives some tips to get you started but nothing beats experience and formal training. Halkyn Security offer a threat hunting service, which includes helping set up your teams to hunt. However if you want formal training we strongly recommend SANS courses, at least for key staff.

Cyber Security and Threat Hunting

Traditional security focuses on established controls. This is your firewall, endpoint antivirus, mail filter and similar tools. A very good example of traditional security is the Cyber Essentials scheme. As the name says, this is essential.

Next you need to ensure a way to respond to incidents. From Talk Talk to Equifax, it is apparent that incidents will continue to happen. As a result, incident response really does matter.

Even with this in place, problems will still happen. Advanced Persistent Threat might be a marketing term, but the reality is persistent attackers exist. Criminals, or nation states, will spend time subverting your controls.

Here lies the problem. If an attacker can bypass your controls, what triggers your incident response process? Often, sadly, it is public notification when other people discover your breach.

Threat Hunting – The IR Equation

Defending your information relies on a simple equation. If the time to detect (D) the attackers and the time to respond (R) to the attack is less than it takes the attacker (A) to complete their mission, you win. If it isn’t, the attacker wins. The fundamental goal of threat hunting is to speed up your side. This is how you win.

When the dust settles, it turns out most breaches last months. Attackers spend time moving around. They collect sensitive data. The data is hoarded into staging servers. Eventually, the attackers exfiltrate the data. At this point it is too late for anything other than a PR exercise to limit the damage. However, in the weeks and months before this your organisation has thousands of opportunities to detect and defeat the attack. Threat hunting really does make the difference.

Threat hunting for beginners

You agree threat hunting is a good idea, now where do you start? This guide can help but remember nothing matches either skilled staff or bringing in dedicated threat hunting teams.

To get started, think of each threat hunt as a way of testing a theory. Build a theory. Decide what evidence would support it (or disprove it) and then collect the data.

Every environment is different so we cant give you a specific examples for your network here. However, we can provide some examples you might want to tailor:

Threat hunting example scenarios

Here are some example threat hunting scenarios. This is not an exhaustive list and the idea is you will build on this to develop good practices for your own organisation.

Network Threats

Command and Control Channels. If you have a compromised device, it has to talk to the attackers. Collate your firewall and proxy logs. Split them into hourly segments. Find any device which is present in every segment. Establish why.

Unusual protocols. Check the data going out of your organisation. If you see encrypted traffic on port 80 it is unusual. Establish what has caused this.

Suspicious encryption. When your users visit HTTPS sites, there is a TLS/SSL handshake. When malware calls home it normally uses preset encryption. Look at your Port 443 traffic and investigate any connections without a handshake.

Endpoint Threats

Persistence. Collate startup entries (registry keys, autoruns etc) from all endpoints and scan for unusual entries. Any machine with unique software in startup / run keys should be investigated.

Account use. Collate event logs from all endpoints and scan for user account logins. Investigate outliers and unusual events like remote logins with local accounts.

Unusual software. Audit the software installed on all your devices. Sort the list to identify what software is only on one or two devices. Investigate this software.

Threat Hunting – the future

As we said, this is just the start. Run some hunts with the information here and see what happens. If you find attackers, roll into your incident response. When it comes to the lessons learned feed back into your future threat hunting. As you mature, you can integrate threat intelligence feeds.

]]>1570UOC – Cybersecurity Conference 2017http://www.halkynconsulting.co.uk/a/2017/03/uoc-cybersecurity-conference-2017/
Thu, 23 Mar 2017 09:15:50 +0000http://www.halkynconsulting.co.uk/a/?p=1552Cybersecurity is big news with governments and businesses suffering at the hands of cyber attacks. As a result of this, the University of Chester (UoC) STEMs society is hosting a Cybersecurity Conference on the 28th March 2017. The primary aim is to raise awareness of Cybersecurity. In addition, it will provide an opportunity to build professional networks and encourage career […]

Cybersecurity is big news with governments and businesses suffering at the hands of cyber attacks. As a result of this, the University of Chester (UoC) STEMs society is hosting a Cybersecurity Conference on the 28th March 2017.

The primary aim is to raise awareness of Cybersecurity. In addition, it will provide an opportunity to build professional networks and encourage career development. Most of all this event provides an opportunity for you to ask any questions you might have. The current line up of speakers includes some genuine experts. As a result this presents a great opportunity to discuss what matters to you.

The event is at Thornton Science Park and UoC staff, students and guests are welcome. Advance registration is required via EventBrite and it starts at 1700hrs. Attendance is free. So there really is no reason to miss out on this event.

UoC CyberSecurity Conference

The guest speakers include:

Taz Wake – Cybersecurity and Risk Consultant at Halkyn Consulting Ltd, based in North Wales.

James Simpson – Cybersecurity Consultant & Director at Secti Ltd, based in Shropshire.

Matt Hull – MSc Student at the University of Chester & Detective Constable at Cheshire Constabulary

GCHQ – GCHQ defends Government systems from cyber threat, provide support to the Armed Forces and strive to keep the public safe, in real life and online.

While the event is on, free refreshments, including pizzas, will be provided.

Please note, Thornton Science Park is an access controlled site. As a result all guests are required to register in advance. Also, all guests are to use car park B for parking. More details are available from the event organiser or the EventBrite page.

In conclusion, if you live in the North West and have even the slightest interest in Cybersecurity, you should attend this event. So dont hesitate, book it now on EventBrite.

]]>1552Dashboards vs Security – are they really helping?http://www.halkynconsulting.co.uk/a/2017/03/dashboards-vs-security-really-helping/
http://www.halkynconsulting.co.uk/a/2017/03/dashboards-vs-security-really-helping/#commentsMon, 20 Mar 2017 14:06:24 +0000http://www.halkynconsulting.co.uk/a/?p=1539Metrics, Dashboards and Security Like them or not, metrics are a fundamental part of every organisation. Security doesn’t get to a free pass. It is a rare CISO who doesn’t demand dashboards showing how all the security controls are performing. Therefore for most organisations, this is a fight long lost. This may not always be a […]

Like them or not, metrics are a fundamental part of every organisation. Security doesn’t get to a free pass. It is a rare CISO who doesn’t demand dashboards showing how all the security controls are performing. Therefore for most organisations, this is a fight long lost. This may not always be a bad thing either.

Really, dashboards are a good way of showing metrics. Metrics themselves aren’t inherently evil. As a result, you’d think dashboards would enhance your infosec work.

However, all to often the opposite is true. Metrics end up collected just for the sake of it. As a result, dashboards end up being nice shiny things for people to stare at. This is not good.

What do you mean?

First off, an example to explain this. Two of the most common metrics collected in security are patching and anti-virus status. Both are generally good things so people want to measure them. As a result, these are often cited in security guidance – such as CSO Online’s article. While this seems like a great idea it has problems.

Patching. Nearly every program will measure things like the number of systems patched to “current” levels. Normally this means they’ve had all the patches applied within 48 or so hours. For most enterprises, hitting 95% here is a really good thing and will be green on the dashboards.

Antivirus. Another common one where people measure the number of systems with recent AV updates. Most of the time this is “updates issued in the last 24 hours” with 98% compliance target. As a result, unless things break, it is often green.

Your AV is green…

The problem is that this dashboard doesn’t tell you anything useful. If your organisation has 200 systems, you could have 10 totally unpatched and 4 without any functional AV and still show green on the dashboard. One phishing campaign and 4 – 10 machines are compromised. All the while, your dashboards show green and the attacker steals data.

So, is there really any value in this obsession with metrics?

Actually, yes. Metrics do have a place in every organisation. Just not driving dashboard showing your executive view of security. Its important to pick good, effective metrics. It is more important to truly understand the message they give you.

Dashboards, what are they good for?

Actually, lots of things.

Metrics are best at showing things which are changing towards a target. They are brilliant at project measurements. Also, they are good at showing progress towards a goal. These are all areas where metrics excel.

When it comes to “steady state” measurements, it is a bit different. They can do it, but you need to realise they are telling you something different. Metrics tell you what your risk level is and help drive improvements. They help support compliance programs. This is all useful stuff.

However, most dashboards don’t give you situational awareness. Don’t let them trick you into thinking they do. Real operational dashboards take a lot of effort to create and manage. If you have an out-of-the box product, you don’t have this.

What should you do?

If your dashboards are basically compliance reports, then accept it. Compliance is good but it isn’t security. Educate yourself that green doesn’t mean secure, it just means things are operating. Use them to inform your risk management but remember 1 vulnerable device is enough to compromise your entire network.

Take time to decide if you want security metrics. If you do, fully understand what you want them for. Without this, your dashboards will be pointless. Try to avoid simply googling for ideas. Good security metrics come from your organisations controls & requirements – not a template.

If you really want security monitoring, then don’t go for dashboards, monitor your enterprise. Centrally log events, look for malicious activity and threat hunt. You can measure this but it will never look good on a dashboard.

]]>http://www.halkynconsulting.co.uk/a/2017/03/dashboards-vs-security-really-helping/feed/11539Security Incident Response Really Does Matterhttp://www.halkynconsulting.co.uk/a/2017/03/security-incident-response-matters/
Wed, 08 Mar 2017 21:42:00 +0000http://www.halkynconsulting.co.uk/a/?p=1523Incident response is one of those things you really hope you’ll never have to use, but know you will. Or at least you should know! Even with the best security, there will come a day when you are up to your eyes in chaos. Either a live security incident or, worse still, picking up the pieces […]

]]>Incident response is one of those things you really hope you’ll never have to use, but know you will. Or at least you should know! Even with the best security, there will come a day when you are up to your eyes in chaos. Either a live security incident or, worse still, picking up the pieces after a breach.

This has stood out a couple of times recently. Someone appears to have breached the US Central Intelligence Agency and, at the opposite end of the spectrum, a small business in the UK looks seriously hacked. Two events which, although unrelated, show that whoever you are, security events are inevitable. Equally inevitable, some will turn into a full blown incident. At this point you realise you have either planned and prepared properly or suffer the consequences.

The UK angle – SME hacked

Incident Impact – Chiltern Seeds

Chiltern Seeds is a UK based, family run business offering seeds and plants with a personal touch from a small team. They have a web presence which enables them to service customers across the UK. From the available information, they didn’t cut corners. A custom built website supports customers. Payments go to a dedicated provider. Good web practices.

All of this is good stuff. It isn’t enough to guarantee never having an incident though.

At the end of February, they suffered a web outage, followed over the next few days with customers (and curiously some non-customers) getting a very well phrased phishing email. This took them to a page trying to steal payment card information. Details of this stage of the incident are online and well worth reading.

This is a terrible situation for any business, especially a small one who is unlikely to have a dedicated incident response (IR) team. The problem is that this is fairly common. Equally common is the lack of IR preparation. This is where “bad” gets worse. No preparation basically means no real incident response.

There is more pain for Chiltern Seeds with IR work happening in the public domain. Customers (admittedly tech savvy ones) are looking into the incident and drawing conclusions. Customers are challenging the claims made by Chiltern Seeds and for a time at least, they have lost control of the narrative. A bad situation is at risk of spiralling out of control.

IR is there to stop this.

Incident Response – do better!

This post cant cover every possible situation or every possible response scenario. If we tried, it would still fail because IR has to align to your business. However, there are principles to follow.

Plan. Then plan. And then plan some more.

Hacked? Time for incident response…

First of all, if you take no other action, come up with an incident response plan. Decide right now what you will do if bad things happen. Don’t try to plan for every possible incident, just plan for high level events. Involve key stakeholders are ensure everyone has an idea of what to do. This is essential if you don’t want to panic when something goes wrong in the middle of the night.

Examples of high level events you should plan for:

Denial of service attack on your websites

Malicious software or unusual code on your sites

Customers reporting suspicious activity

Unusual events on your firewall or web proxy

Phishing emails

A fundamental rule is that more planning leads to a better response. There is no escaping this. Accept it and plan.

Scan and Monitor

Your incident response plan is useless if it never triggers. This is more important than you might imagine. If you don’t know you’ve been hacked, you cant respond to it. Additionally, if you only find out about an incident from your customers, it is way too late.

You fix this problem by creating awareness. This includes scanning, logging and, most importantly, analysing the data. However you do this doesn’t matter, just do it. Some key considerations are:

Learn what your customer facing website code should look like and scan for changes

Monitor the traffic going through your firewall

Monitor changes on your PCs, Databases and code repositories

Scan for vulnerabilities and missing patches

Scan for sensitive data in the wrong place (such as a PHP include with DB login credentials stored in the root of your webserver)

Respond to the incident at a speed you can manage.

When the inevitable happens, you have to take action. This is where your planning earns its money. Don’t allow the stress and uncertainty of the incident to make you take action before you are ready. One major mistake from the 2015 TalkTalk hack was engaging with the media faster than the incident response teams could gather information. This meant that the message to the public was often confusing and contradictory.

It is vital to engage with the media and your customers quickly. But it is more important to do it accurately. If your message is slow, people will complain. A constantly changing message will create confusion. However, if your message is wrong, it can be catastrophic.

The important thing to remember is that the better you plan, the better your incident response will be. If you want to communicate fast and often, your plan must support it.

Incident Response Matters. Take it seriously.

That is the crucial message here. No matter the size of your organisation, if you have computers or a website, something bad will happen. Don’t be surprised when it does, because you know you need an incident response plan.

]]>1523North Wales Cyber Security Cluster – April 2016 Meetinghttp://www.halkynconsulting.co.uk/a/2016/04/north-wales-cyber-security-cluster/
Mon, 18 Apr 2016 07:45:00 +0000http://www.halkynconsulting.co.uk/a/?p=1481The North Wales Cyber Security Cluster is meeting on 21 April at Solvings Ltd, in Mold, Flintshire. Solvings provide a great location and the cluster is a wonderful opportunity to learn about cyber security. Access to cluster meetings is free and everyone is welcome. No prior knowledge is needed. There really are no stupid questions! Clusters […]

The North Wales Cyber Security Cluster is meeting on 21 April at Solvings Ltd, in Mold, Flintshire. Solvings provide a great location and the cluster is a wonderful opportunity to learn about cyber security.

Access to cluster meetings is free and everyone is welcome. No prior knowledge is needed. There really are no stupid questions!

Clusters exist across the UK and grew out of the UK Governments Cyber Security Strategy. In North Wales, meetings are monthly. Each session comprises a mix of presentations, information sharing and networking.

Halkyn Consulting is proud to be presenting a session on cyber attacks for the April meeting. We will look at why cyber security is different & why it matters. Following this, we will cover hackers. This will include what motivates them and what techniques they use.

In this session we will also present a case study involving a live “hacking” demonstration. This is based on an investigation we carried out for a UK client. The demonstration will show, in near real time, how swiftly hackers can compromise a system. This is true, even for a fairly well secured system.

If time allows, we will cover some additional cases involving blended attacks and newer tools. All of this is based on real-world examples of attacks hitting UK businesses.

To close our session, we will talk about incident response. This is a crucial part of every cyber security plan. We will look at three common IR models. We will also briefly cover the six steps of incident response. A future session will concentrate this in more detail.

Everyone really is welcome to the Cyber Security Cluster. Free up a couple of hours on Thursday and pop in to say hello. Please help to spread the word. North Wales can be a centre of Cyber Security excellence.

]]>1481Ransomware: Don’t panic – deal with ithttp://www.halkynconsulting.co.uk/a/2016/03/ransomware-dont-panic-deal/
http://www.halkynconsulting.co.uk/a/2016/03/ransomware-dont-panic-deal/#commentsTue, 22 Mar 2016 22:32:51 +0000http://www.halkynconsulting.co.uk/a/?p=1468Since Cryptolocker appeared in late 2013, it seems hardly a day can go by without some ransomware attack hitting the news. The variations all have entertaining names like Teslacrypt, Locky, PayCrypt (etc). The impact on the victims can be monumental. Tracking sites show new versions appearing several times a day – much faster than most […]

Since Cryptolocker appeared in late 2013, it seems hardly a day can go by without some ransomware attack hitting the news. The variations all have entertaining names like Teslacrypt, Locky, PayCrypt (etc). The impact on the victims can be monumental. Tracking sites show new versions appearing several times a day – much faster than most Anti-Virus products update their definition files. If you are infected, your files really are lost unless you pay.

All of this points to a specific type of malicious software which is causing some very, very big problems to businesses and home users across the globe. In late 2015, even the FBI suggested paying the ransom was the only option for some victims.

But it doesnt have to be this way. Simple steps can prevent infections. Simple steps can allow you to recover.

If you access the internet or read email ransomware is attacking you. Dont be scared about it. Dont be overwhelmed. Dont think it is not important enough. Dont procrastinate. Just deal with it today.

What is ransomware?

Ransomware is a type of malware that restricts access to the infected computer system in some way, and demands that the user pay a ransom to the malware operators to remove the restriction.

Although only really in the news a lot now, this type of malware has been around for a long time. In 1989 “PC Cyborg” was locking users computers and spreading via floppy disks. As the internet evolved, so did the ransomware. For a long time, the attacks came in via email and only hit Windows users. However, things are changing. Research indicates that over 50% of infections are from users accessing malicious webpages. This year (2016) has now seen the first OSX ransomware infections hitting Mac users.

The reality is that this is so profitable, criminals will put a lot of effort into keeping it working. If your defences stand still, it will beat you.

Common Myths

There are some common misconceptions around ransomware which hinder investigations. Don’t hinder your response by barking up the wrong tree.

Myth 1: Ransomware is always sent by email. Far from it. Two years ago this was true, but in the last 18 months things have changed. While email is still a common attack vector, more users are compromised by browser exploits.

Myth 2: Ransomware is infectious. Most people’s experience of malware is with a virus that spreads by infecting machine after machine. Current versions of ransomware, however do not do this. By its nature, this type of attack tends to be a single shot, with each user having to be infected directly by the source.

Myth 3: Ransomware targets businesses. No. Most attacks are targeting home users. This is where the attackers make their money. The assumption is corporate environments can recover without paying. However, attackers don’t tend to be choosy, so businesses do get hit.

Myth 4: Multiple attacks mean targeting. Still no. Ransomware is so common you cant ever assume that several users getting infected is sign that your business is being targeted. It just means attackers have a big list of your email addresses or your users all visit the same sites.

Myth 5: Only people who visit dodgy sites get attacked. Modern attacks are delivered through otherwise legitimate content delivery networks. Ransomware has infected visitors to newspaper websites, Yahoo pages and much more. Any internet activity can lead to an infection.

Dealing with Ransomware – Simple Steps

2 simple stages in dealing with ransomware.

For all the trouble it causes, dealing with this form of malware is actually quite simple.

First and foremost is preventing the attacks. This is really important.

However before you go any further, you need to fully understand that nothing will be 100% effective. The more users you have, the greater the chance of an infection. Our experience is that in a given month, you should expect 1 successful infection for every 5000 users you have.

Accept this. Put good controls in place but realise that you will still need to respond.

Prevention first

Good preventive controls will eliminate 80 – 90% of all malware attacks, including ransomware. The exact level of detail will depend on your environment so make sure you plan this properly.

Start with the basics:

Patch. Most ransomware attacks exploit unpatched systems. When patches are released you need to apply them as soon as practical. The longer you delay, the greater the risk.

Run AntiVirus. While it isn’t perfect, AV really isnt dead. If you run a good AV tool, with regular updates and heuristics enabled, most ransomware attacks will be blocked. Brand new variants will still get through, but you will be protected against the thousands and thousands of older versions.

Use your firewall. Make sure your firewall blocks outbound connections to known C&C servers. This can disrupt the ransomware as it tries to get the encryption keys, preventing it from running. It isn’t perfect but without it, life is harder.

Minimise privileged accounts. Administrator accounts must never be used for routine activity. Privilege escalation must be controlled and, ideally, requires manual credential entry each time. If you absolutely must allow privileged accounts access to the internet, this should be whitelisted. Privileged accounts must never be used to access email. If a privileged account is infected by ransomware everything is much, much worse.

Backup. Backup. Backup. Backup. Take backups. Backup everything you can. Data storage is cheap so there is very little reason to not take copies of everything. The more you backup, the faster you can recover from ANY problem. Take daily, weekly, monthly backups. Test and verify them on a regular basis. It is important to make sure any backups you take are “offline” otherwise ransomware can hit them as well as your life system.

Once you have all that, look to up your game:

Manage Network Shares. This is the biggest problem for most businesses. Infected users end up destroying files belonging to everyone else because network shares are badly managed. Make sure users only access folders they need to access. If you can, make sure network shares are not mapped as drive letters. Never allow the everyone or all users AD groups to have read/write access.

Harden your browsers. Restrict what people can do with downloaded files. Make sure browser activity is AV scanned.

Manage application paths. Use GPO or similar to prevent software from running in “unusual” locations. Never allow files to run from %LocalAppData% and %LocalAppData% locations. Ideally whitelist applications you allow to run rather than try to block the ones you dont want.

Install ad-blockers and disable flash. This closes the door on two of the most common web-based attack vectors.

If ransomware prevention fails, respond

Respond, but respond properly. Most of the harm from ransomware is the result of confused, delayed or inconsistent activity by the people tasked with responding.

Step 1: Have an incident response plan and stick to it. Don’t allow panic or knee-jerk reactions to dominate during an attack or things will go wrong. Make the plan when things are calm and trust it. If its bad, fix it after the incident, not during.

Step 2: Dont panic. Ransomware doesnt spread from machine to machine. Take rational steps to minimise business impact. Ignore the people who are screaming about disconnecting everything or shutting everything down. Follow your IR Plan.

Step 3: Know where you are in the attack chain. If you’ve discovered the “ransom note” its too late to do anything to prevent the attack. However if your SIEM has alerted to an blocked outbound connection to a C&C server, you can do things.

Step 4: Dont panic. Seriously. Think carefully about what has happened. If you find the ransom note, there is almost zero value in shutting things down or disconnecting services. The attack is already over. All you are doing is hurting your business more.

Step 5: Identify the point of infection. The first rule is that if you find encrypted files on a server, it probably isn’t the source of the infection. Remember, ransomware attacks people so only systems which allow web-browsing or email can be the source. Don’t waste time looking in the wrong place. Use file modification timestamps and ownership to identify the source. This means you shouldn’t rush in and destroy the evidence.

Step 6: Still dont panic. It is only ransomware. It wont spread from machine to machine. It has either been blocked or finished its attack. Stay calm and follow your IR plan.

Step 7: Clean the source. When you find Patient Zero, clean their system. Ideally rebuild the OS and reset all account credentials. Find out what let the ransomware in and implement fixes.

Step 5: Clean and restore the rest of the environment. Delete the encrypted files and restore from backups. Get your business up and running again quickly.

Assuming you have good backups, following this process means you will lose, at most, a few hours work for one user and a couple of hours to restore backup files.

Don’t make the same mistakes. Implement good practices. Plan well. Prepare for attacks and respond to ransomware in an appropriate manner. Don’t make a bad situation worse, just deal with the attack.

Keep in mind, Cyber Essentials is a UK government initiative which is geared towards organisations implementing cost-effective controls which are very effective at minimising the risks from attacks like ransomware. If you achieve certification then there is a good chance you’ve covered the basic requirements! Get in touch if you want to find out more about how you can become Cyber Essentials certified and protect your business & your supply chain.

]]>http://www.halkynconsulting.co.uk/a/2016/03/ransomware-dont-panic-deal/feed/51468Cyber Essentials – Would it have saved Lincolnshire County Council?http://www.halkynconsulting.co.uk/a/2016/02/cyber-essentials-would-it-have-saved-lincolnshire-county-council/
Mon, 01 Feb 2016 09:00:47 +0000http://www.halkynconsulting.co.uk/a/?p=1451Cyber Essentials is a UK Government driven scheme which is designed to help businesses of all size reduce the risk and impact from malware attacks. It is mandatory for those who provide services to the MOD. Cyber Essentials is becoming mandatory for those who provide services to any other government department – including local government […]

Cyber Essentials is a UK Government driven scheme which is designed to help businesses of all size reduce the risk and impact from malware attacks. It is mandatory for those who provide services to the MOD. Cyber Essentials is becoming mandatory for those who provide services to any other government department – including local government and councils.

This is a good thing.

Despite there being some criticisms of Cyber Essentials, the scheme does what it says on the tin. It helps businesses prevent things like ransomware knocking them out.

Sadly, not every government department practices what they preach.

Lincolnshire County Council – Hit by ransomware Jan 2016

Around 26 January 2016, Lincolnshire County Council was hit with a ransomware attack. Initial reports from the BBC claimed the demands were for £1m. However by the end of the week this had been corrected to the more normal £300.

Ransomware can be devastating for home users. It has the potential to destroy priceless data. Few home users take proper back ups and end up having to pay. This means there is a lot of money to be made.

Organisations are different. The assumption is they will have backups. There is also an assumption they will never pay. This all means criminals very rarely target businesses with ransomware. What is likely to have happened is simply a user made a mistake with their email.

This happens a lot. It is also one of the reasons why Cyber Essentials was created and why it is so valuable for businesses.

Would Cyber Essentials Have Helped?

Within the Cyber Essentials framework there are five security control areas. These are the foundations of good security.

Boundary Firewalls & Internet Gateways.

Secure Configuration.

Access Control.

Malware Protection.

Patch Management.

As you can see, it is simple. It is also very effective. Good controls for all five are likely to have prevented the ransomware attack. Even if they didn’t, the Council could have bounced back in less than a week.

If Cyber Essentials had been in place, the following should have worked:

The initial phishing attack should have been detected at the boundary.

If devices were properly configured, ransomware would struggle to run. There would also be no fear of lateral movement. This fear forced the council to shut down all services for a week.

Secure configuration also includes a working backup policy. Taking a week to restore from backups is shocking.

Good access control policies would prevent the ransomware encrypting anything other than the files belonging to the infected user.

Having effective anti-malware means using more than “signature based” detection. The news reports all state this ransomware variant was too new for AV signatures. This means that they were not using heuristics….

In a nutshell, Cyber Essentials would have saved the Council here. The worst that ransomware should do is a few hours downtime for one user while you restore from backups. Everything else means you’ve made major mistakes.

Ransomware isn’t new. It shouldn’t be unexpected. Suffering from it should no longer be acceptable. If you outsource, you absolutely MUST ensure your provider knows what they are doing. This does not seem to be the case here.

Cyber Essentials is not a silver bullet. However, it will prevent 80% of cyber attacks.

]]>14513 essential elements of any Infosec functionhttp://www.halkynconsulting.co.uk/a/2016/01/infosec-3-essential-elements-of-your-team/
Fri, 08 Jan 2016 21:06:55 +0000http://www.halkynconsulting.co.uk/a/?p=1436As the news often shows, Information Security (infosec) is a big part of any organisation. From the small business with just a couple of computers to the global enterprise, infosec wraps around what you do, keeping you safe. Infosec is the function which keeps you servicing your customers. It protects your data. It ensures that […]

As the news often shows, Information Security (infosec) is a big part of any organisation. From the small business with just a couple of computers to the global enterprise, infosec wraps around what you do, keeping you safe.

Infosec is the function which keeps you servicing your customers. It protects your data. It ensures that you have a reasonable chance of still working tomorrow.

The challenge is not in realising the need for information security, it is in making it work.

At a very high level you need to ensure that three key elements are in place. With them, you can get world class security. Without them, you will always be behind the curve.

Essential Elements for World Class Infosec in your Business

Good, internal, security team.

Internal Infosec Team – The Foundation of Everything.

This forms the foundations of everything you do so they need to be good. If your team is “average” or worse, fix that before you do anything else.

A good, internal, infosec team will allow you to improve and grow. These will be the people who know everything about your organisation. Your internal team will know where the problems are. They will know who is responsible for systems. They will know what is normal and what isn’t.

With a good internal team, you can parachute in external support and things will just work. It is hard to overstate how important this actually is. One of the biggest mistakes companies make is paying for external services without the internal framework to support it. Avoid this mistake at all costs.

Good external infosec consultants.

Expert External Infosec Consultants – Halkyn Consulting.

Your internal team learn your environment inside out. They become experts in it. However you also need experts on the outside world. Techniques change. Good practice evolves.

Your great internal team needs fresh ideas and fresh input. Rather than have a staff churn, external consultants can provide this.

External consultants can also provide the infosec “bigger picture.” By bringing experience from other companies, they can help you change your ways for the better. This allows you to learn from the pain others have felt.

Sometimes internal infosec teams feel threatened by external consultants, so you need to manage this. Make it clear that the external experts are there to help and support. If you get this right, you will significantly enhance your security.

If you are building a security team from the ground up, then external consultants can give you the knowledge to get things moving. The consultants can help you select a team. They can train your team. They can test and benchmark your team.

Good, ideally external, testers.

Test. Test as much as possible. Pentest, VA scans, etc., they are all good. The more testing you do, the more confidence you can have in your systems. Without testing, you are basically hoping things work well.

You can use internal test teams. These will know where to really probe for dirt. However, they will also suffer from this knowledge. They will attack in the paths you’ve predicted. They will use the exploits you are expecting.

This is good, and much better than nothing. It isn’t perfect and it really isn’t world class.

In the same way external consultants bring new ideas, external testers really push your infosec teams. They will think of things you have never considered. They will test systems in ways you cant imagine. They will show you what an attacker can learn. They will highlight the mistakes better than anything internal.

The biggest “lesson learned” from a real external pentest comes at the end. When your internal team get the report and try to work out how the attackers got in. Spend time looking at how the controls were bypassed. Spend time finding ways to detect it next time. There will be a next time, you just have to hope you are ready before an attacker finds it.

Conclusion – 3 elements for world class infosec

So, in summary, there are three essential building blocks for every infosec team. It is easy to identify them, but it is also easy to overlook one or more. All are essential if you want to drive the maximum security benefit for your organisation.

The real challenge is in making sure you implement all three properly. You need good teams to start with and a plan to make them all better. You need to drive continual improvement. You need to learn from everything that goes wrong. If you do this, you will have a great security team and your infosec processes will be robust.

Need help?

If you need help with this, Halkyn Consulting can offer advice, support, assistance and mentorship at every stage.

We can help you build your internal infosec team from the ground up. We can help you improve them. We can help you benchmark them. We can train your incident responders, we can support your forensics collections.

If you have a good, trusted, internal information security team, we can help bring in new ideas. We can provide external frames of reference. We can help you learn from the lessons other companies suffer.

]]>1436Incident Response – 5 key stakeholder groupshttp://www.halkynconsulting.co.uk/a/2015/12/incident-response-key-stakeholders/
http://www.halkynconsulting.co.uk/a/2015/12/incident-response-key-stakeholders/#commentsMon, 07 Dec 2015 08:59:40 +0000http://www.halkynconsulting.co.uk/a/?p=1421Incident response is a vital component of every organisations security. It provides the safety net for when the inevitable happens and other controls fail. A good incident response team will also have subject matter experts who can guide your entire organisation’s security strategy. If you take security even slightly seriously, you will have an incident […]

Incident response is a vital component of every organisations security. It provides the safety net for when the inevitable happens and other controls fail. A good incident response team will also have subject matter experts who can guide your entire organisation’s security strategy.

If you take security even slightly seriously, you will have an incident response team. Often called a “CSIRT,” but you may use other titles like SIRT, IRT or CERT. Ideally, you’ve put your technical expertise here so that they can respond to incident across the board. You’ve manned it properly so the team have resources to deal with the volume of incidents you face and you’ve given them the tools to detect, confirm, investigate and contain incidents in a timely manner.

If you’ve done all this, you’ve done well and your response will be pretty good.

However, even the best CSIRT team needs help. Your handlers may be experts but you want them spending time on incidents, not constantly refreshing their knowledge of the ins and outs of your environment.

You can solve this by making sure they interact with key stakeholders in your business.

5 Key Stakeholders for Incident Response

Every organisation is different. However, your CSIRT must find a way to engage with the equivalents of the following groups:

IT Services. Your incident response team need to establish solid relationships with all the key parts of your IT Services organisation. Internally, this includes networking, database teams and developers. Externally you need to include hosting providers and service providers. This is the most crucial relationship they can have.

Security Management. You need more than a CSIRT. The incident responders can be expected to own every aspect of security. You need to ensure they have a route to engage other parts of security and especially security management / leadership teams.

Legal. Incidents open the door for lots of legal considerations. You need to make decisions about what to report and how significant an event may be. Your incident responders should be technical experts, not legal experts. This means your handers must have a way of seeking guidance from real lawyers. Ignore legal at your peril.

Human Resources. Users are a frequent cause of security incidents. Your incident response team need to be able to handle these in the correct way. To enable this, the CSIRT need to engage with HR. Ideally, there will be regular links to ensure compliance and an ad-hoc link when an incident happens. As with legal, ignore HR at your peril.

Public Relations. Incidents can go public with very little warning. No one wants to make the Talk Talk mistake with a CEO talking faster than your incident response team can work. It is vital that your incident response guys engage with PR before and during incidents. Your PR team are experts in making sure the incident response message is the right one. If you need to go public and there is no link between incident response and PR, you will feel pain. Lots of pain.

Incident Response Communications

So, you know it makes sense to engage, but how can you do it?

Step 1: Identify the right people. Find or nominate key individuals within the stakeholder groups. These do not need to be security experts, but they need to be aware of the incident response team’s existence. Make them aware of their duties – normally act as a support point for any incident activity.

Step 2: Set up regular security cadence meetings. People forget things. You can minimise this with a regular meeting between all the stakeholders. You can use this to drive improvements, review previous incidents or just remind everyone.

Step 3: Incident Response Escalations. Your team is in-flight with an incident, have them set up pro-active alerting. Don’t call everyone, every time, but your handlers need to be planning ahead. Your incident response team need to be warming up key contacts so when they have to press the button, it doesn’t shock anyone.

Incident Response Really Matters!

Brighton Bombing 1984 – IRA

No matter how good your security is, there will be a time when it fails. An attacker will get through.

This doesn’t mean you should ignore other controls. It doesn’t mean you should give up hope.

However, it does mean you need to have a plan B. A good incident response team gives you this plan B.

]]>http://www.halkynconsulting.co.uk/a/2015/12/incident-response-key-stakeholders/feed/11421Halkyn Consulting – Site Redesign / Cyber Security Clusterhttp://www.halkynconsulting.co.uk/a/2015/11/halkyn-consulting-site-redesign/
Sun, 22 Nov 2015 18:10:39 +0000http://www.halkynconsulting.co.uk/a/?p=1402As you may have noticed, the Halkyn Consulting website has undergone a redesign. This is aimed to improve our responsiveness on multiple platforms, allow us to expand our services without compromising readability and to help showcase our new activities. The new site is now fully live. If you have any comments or feedback we would […]

As you may have noticed, the Halkyn Consulting website has undergone a redesign. This is aimed to improve our responsiveness on multiple platforms, allow us to expand our services without compromising readability and to help showcase our new activities.

The new site is now fully live. If you have any comments or feedback we would love to hear from you. You can get in touch with us via the blog or our contact page.

Over the coming months we will continue to improve, based on your feedback. Additionally, we are continuing to add services and this will be the subject of a future blog post. This is all part of our drive to provide world class services across all security disciplines.

Linked to this, we are proud to be active supporters of the North Wales Cyber Security Cluster. This group meets monthly and everyone is welcome to attend. The objective is to help all members learn about cyber security. Each month, different guest speakers cover a relevant topic. This is then followed with extensive group discussion and information sharing. Since joining the Cluster, Halkyn Security is proud to now be considered a core member. If you are interested in cybersecurity, please get in touch with the cluster organiser and come to the next session.

Our plans for the next year are to increase the awareness training packages we deliver. To meet this, we will be speaking to Cluster members about running free sessions across North East Wales. If this would interest you please get in touch. At the end of November Halkyn Consulting is assisting Heimdallr & the GTA. For this event we will deliver a 2 day package on Cybersecurity. Find out more on the GTA Website. Further courses are planned next year.

]]>1402AV is not dead – it just has limitshttp://www.halkynconsulting.co.uk/a/2015/10/av-is-not-dead-it-just-has-limits/
Mon, 26 Oct 2015 09:00:42 +0000http://www.halkynconsulting.co.uk/a/?p=1384Antivirus (AV) has been around for decades now and this is both a good and bad thing. On one hand, AV is so well known most people already understand that they need to have it. But on the other, all the attackers know about it. This means the first step in pretty much every attack […]

]]>Antivirus (AV) has been around for decades now and this is both a good and bad thing. On one hand, AV is so well known most people already understand that they need to have it. But on the other, all the attackers know about it. This means the first step in pretty much every attack is “bypass AV.”

AV is not dead, just understand what it can and cant do.

The reality is, bypassing AV is actually not that hard. Partly this is because there is a tendency for antivirus software to use “signature” based detection. Here, all an attacker needs to do is make an insignificant change and the signatures can be totally different.

Even the better AV products, which uses things like heuristics can be bypassed with freely available tools. An example is the Shikata ga nai framework designed to leave AV helpless.

Basically, everything these people are saying is correct. Attackers can and will bypass antivirus. Often they will do it with very little effort.

Despite what the vendor may tell you, you can have a top end, fully updated AV product and still get hacked. A lot.

But this is missing the point. It doesn’t mean that the product is useless or that we should all give it up and live in an AV-free world. It just means that, like every security product, it has its place. Remember, there is no holy grail, silver bullet, product that can do everything and protect you from every cyber threat.

The important thing to remember is if you DONT have antivirus, even the lazy attackers who cant be bothered to bypass it will get in to your system.

Bringing AV Back to Life

So, we’ve established that the reports of antivirus being dead are premature, but what do we do about it?

Remember, security is all about defence in depth. You need to be adding so many layers of controls that the attacker runs out of steam long before they hit your important assets. Within this model, AV has a crucial part to play.

With this in mind, here are our handy hints on how to keep AV alive in your organisation and make sure it is providing the value you expect.

Review your security model. AV has a part to play but it is only a part. Make sure you have other controls.

Fund AV properly. Dont blow your budget on an incremental improvement to AV but also dont scrimp and get some freeware version which you cant manage.

Implement good security practices. Whatever else you do, you need to consider the top three security controls: Application Whitelisting; Patching; Privilege Management. With these in place, your AV works much better. Without them, you will still get hacked. A lot.

Use your antivirus. We’ve lost count of the number of incidents we are called to support which have an origin in a machine where AV has been disabled or not updated in months. This is poor practice.

The key point here is that AV needs to be part of your security controls. It should never be the only control you have but that isn’t enough of a reason to not have it. While it is possible for reasonably low skilled attackers to circumvent your antivirus controls, you would be amazed at how much it will still stop.

If you implement the three security good practices mentioned above, and run an up-to-date AV tool, 90% (or more) of attacks will fail.

]]>1384Supplier Security – A lesson for T-Mobilehttp://www.halkynconsulting.co.uk/a/2015/10/supplier-security-a-lesson-for-t-mobile/
Sat, 03 Oct 2015 20:34:29 +0000http://www.halkynconsulting.co.uk/a/?p=1363Supplier security is something most organisations are at least aware of, and lots actually realise they need to do something about it. However, most of the time, “doing something” about it involves a quick chat with the supplier, possibly a generic check-list and a review that the contract at least mentions security. The problem is thinking […]

Supplier security problems result in this notice from the CEO of T-Mobile

Supplier security is something most organisations are at least aware of, and lots actually realise they need to do something about it. However, most of the time, “doing something” about it involves a quick chat with the supplier, possibly a generic check-list and a review that the contract at least mentions security. The problem is thinking if the supplier drops the ball, the supplier will suffer the harm.

This week, T-Mobile USA were unfortunate enough to be the example showing why that mindset is really, really wrong. There is no escaping the fact that supplier security matters. If you aren’t driving them hard things will end badly.

Supplier security – what went wrong for T-Mobile?

First off, for the avoidance of doubt, there is no reason to think T-Mobile have done anything wrong. Nothing here is meant to imply they failed to implement good supplier security controls.

Yesterday, it was reported (here and here) that the credit checking agency Experian had suffered a major breach. The breach exposed personal data belonging to T-Mobile USA customers. Initial reports are that the breach lasted over 2 years and around 15 million records have been compromised.

It seems the attacker(s) accessed a file containing every credit check Experian has ever conducted for T-Mobile. The customers put their faith in T-Mobile and there was no breach at T-Mobile. However, they are still the ones who will feel the impact here.

As an immediate damage limitation exercise, Experian have offered anyone affected by this a free 2 year account on ProtectMyID. Unfortunately this means you need to continue trusting Experian and its not clear how effective a credit checking agency will be at general ID protection.

For T-Mobile, this is a pretty painful situation. They had no breach, but their customers suffered. Some customers will blame T-Mobile for this. Some customers may leave T-Mobile. Customers don’t care about supplier security.

Don’t forget, if this was the UK/EU, the Data Controller is the one who gets the fine not necessarily the data processor.

Supplier security – what should you do?

No one wants to be in the same boat as T-Mobile but every business needs suppliers of some description. So, the question is, how can you check your supplier security is good enough?

Step 1 – actually take your supplier security seriously. Don’t assume it is just a task you have to tick off on an audit list. Don’t assume all your suppliers are the same. You need to fully integrate your supplier security processes in to everything you do.

Step 2 – risk assess your suppliers. Not all suppliers carry the same risk. Not all suppliers need the same level of scrutiny. Supplier security is never a one-size-fits all problem. Some suppliers will provide business critical services. Some will be able to cause you massive reputational damage. Some wont. You need to understand every supplier. In some cases, it may even be necessary to war game possible scenarios so you can really understand how things can go wrong. Figure out what happens if they go bust, get breached or just mess up. Once you know this, you know how much pain you can feel from this supplier.

Step 3 – drive the supplier security process. The low risk suppliers can probably stay with the check list approach. The high risk suppliers really need a dedicated supplier security assessment. This means you need to dedicate resources to go and fully understand how the supplier protects your services. If they aren’t up to scratch, find a new one.

Whatever approach you decide, the most important thing is having an approach to supplier security which you actually use.

Never allow yourself to fall into the trap of thinking your suppliers don’t need supervision. Never fall into the trap of thinking that their problems will only be their problems. Never fall into the trap of assuming contracts will protect you.

]]>1363Phishing and Malware – FedEx missed deliveryhttp://www.halkynconsulting.co.uk/a/2015/09/phishing-and-malware-fedex-missed-delivery/
http://www.halkynconsulting.co.uk/a/2015/09/phishing-and-malware-fedex-missed-delivery/#commentsTue, 08 Sep 2015 22:26:23 +0000http://www.halkynconsulting.co.uk/a/?p=1356It seems that every day, new script kiddies discover the likes of the Social Engineering Toolkit or Metasploit and launch a new wave of phishing attacks. Unfortunately it seems that this time the attackers are too lazy to even try. Today’s email – screenshot on the right – is a reasonably straight forward phishing attempt. The […]

]]>It seems that every day, new script kiddies discover the likes of the Social Engineering Toolkit or Metasploit and launch a new wave of phishing attacks. Unfortunately it seems that this time the attackers are too lazy to even try.

FedEx Delivery Phishing Email

Today’s email – screenshot on the right – is a reasonably straight forward phishing attempt. The idea is to convince the victim that the attachment is interesting enough to open. When it is opened, bad things happen.

Normally, a phishing attack will put at least a bit of effort in, but not this time.

As you can see, the text itself is very short. This may be an attempt to avoid spam filters but it also has the effect of making this email look like almost NO other commercial email. As an example, When was the last time you got an official email without a pointless disclaimer somewhere?

Secondly it ticks every box in the “anti-Phishing” awareness lessons:

The from address name doesnt relate to the displayed address.

It doesnt mention me by name.

The English doesnt make sense.

The dates are the wrong way round (for British people!)

Having an email address of @tauntsociety.com just seems designed to raise suspiciouns.

It makes no sense to send a shipping label by email, let alone have it in a zip file.

None of this is encouraging me to open the file. Hopefully no one reading this would open the file either. However, sadly, there are enough people who will, to make the attacks continue.

Newbie Phishing or did it get some things right?

Amazingly some parts of this attack are effective, but I dont think that is a result of the phishing source. Its more a case of chance.

The email arrived into Exchange today and was not detected as malicious by two web based mail scanners.

The email was delivered to the client machine and not detected as malicious by the local AV (Avast) or Windows Defender. (This is unusual as a check on the hashvalue at Virus Total says Microsoft detects it as malware)

The payload is detected by Sophos as a ransomware trojan dropper so any unwitting home users who have run this are likely to either lose all their data or pay the ransom.

Ransomware is very big business so it is surprising that the attackers here have gone to the trouble of finding malware less than half the AV clients will detect (and most only with very recent database updates), but spoiled the phishing attack with terrible execution.

Surprising and fortunate for a lot of people really.

Phishing is here to stay

The main take-away lesson here is that phishing attacks will never go away. Some will get through every technological defence you have so it is critically important that you secure the human.

There is no escaping this. If your users are not security aware, you will lose data to these attacks as long as you are on the internet.

Techie Bits – The Phishing Attack Path

Looking at the message headers, it looks like this attack has been launched by someone using a form t0 email script on either a site they manage, or one with very weak controls.

Below is the list of message headers, and I’ve marked in bold the interesting bits. (And yes, I’ve redacted a couple of bits because it shows some internal data I dont want webscrapers to pull out of the text, no other reason).

The from and reply-to addresses are completely untrustworthy as this is a phishing attack designed to get the victim to open a payload, not reply. This means there is no reason to assume they point to a valid mailbox. However in this instance, they point to one on tauntsociety.com.

The mail went via websitewelcome.com’s email server using an account called valence@sheridan.websitewelcome.com

Websitewelcome.com appears to provided to resellers by HostGator and it appears that sheridan.websitewelcome.com hosts a CPanel portal for webmail.

Both valencestreet.com and tauntsociety.com are registered by the same person at 2400 Valence Street, New Orleans. This appears to be a residential address and the owner has used a gmail account to sign up.

The tauntsociety website looks like it hasn’t been cared for in a while although there is an associated twitter feed which is very active.

The header data here does not give us any better insight into the source of the phishing attack than it came from “valence”.

Based on the totality of information here, the most likely attack path is that a malicious party has used the script on tauntsociety to send an email. It is also likely that the script is hardcoded to present the valence@sheridan.websitewelcome.com account credentials.

While this instance has been a private individual, who may or may not have the knowledge to properly secure a website, similar attacks happen using corporate servers every day.

At Halkyn Consulting we research this out of curiousity, but some attack victims will be reporting it to the police. It may be possible for them to be more accurate than the “Valence” account but this is very much a gamble and it is just as likely that websitewelcome.com don’t store any more details than the credentials used.

As a result, if your company owns sites with scripts that fall out of good management, you will find yourself liable for the misuse. And you really dont want that.

]]>http://www.halkynconsulting.co.uk/a/2015/09/phishing-and-malware-fedex-missed-delivery/feed/41356Finphishing – 8 steps to criminal profitshttp://www.halkynconsulting.co.uk/a/2015/08/finphishing-8-steps-to-criminal-profits/
Fri, 28 Aug 2015 14:33:12 +0000http://www.halkynconsulting.co.uk/a/?p=1345FinPhishing – or financial spear phishing – is a form of social engineering attack which is becoming massively profitable for the criminal enterprises involved. Unfortunately for the victims it is very cheap to deploy and nearly always gets past technological security controls such as spam filtering and malware detection. As a result of this, businesses […]

]]>FinPhishing – or financial spear phishing – is a form of social engineering attack which is becoming massively profitable for the criminal enterprises involved. Unfortunately for the victims it is very cheap to deploy and nearly always gets past technological security controls such as spam filtering and malware detection.

FinPhishing – short and succinct message, simple to generate but potentially deadly to the victim.

As a result of this, businesses across the globe are losing fortunes in fake wire transfers to overseas bank accounts with only limited hope of ever getting their money back.

FinPhishing (under various names) isn’t new – there are reports of Scoular Co.,(a US based private equities trader) losing $17.2m to a FinPhishing attack in June 2014. This has been followed in January by the Internet Crime Complaint Centre reporting that US businesses had lost $214m to scams similar to this in the previous 14 months.

More recently, in early August, Ubiquiti Networks disclosed a loss of US$46m to a FinPhishing scam which was discovered in June.

FinPhishing is big business for criminals.

What is FinPhishing

In summary – financial spear phishing (FinPhishing for ease) is a type of social engineering attack which tricks the victim into making a large sum transfer to a bank account managed by the attackers.

The attacks are all very similar and rely very heavily on corporate culture to work. Unfortunately the tendency of designers to make email user interfaces more “user friendly” actually helps the attacker here.

The FinPhishing Attack

The screenshot accompanying this post shows an initial finphishing email received by a target company. From this we can see the key elements of how the attack is constructed:

Attackers look over public websites for information to identify the business structure. This includes obvious sites such as LinkedIn but also ones people don’t tend to directly post their own data to, such as ZoomInfo.com.

Once they build up your organisation chart, they try to identify a person in a position of authority (CEO, MD etc) and a person working in a finance role. The finance person is now the target of the attack (victim).

The attackers craft an email looking like it has come from the CEO/MD etc., often including the correct email address in the message “From:” field, but it will have a different email in the Reply-To or X-Sender headers.

The message makes a terse request about sending funds for some urgent business activity. The brevity means it bypasses most spam filters and the lack of payload or malicious link allows it to bypass AV or threat monitoring.

The victim reads the email and it looks like it is legitimately from the CEO/MD – unfortunately most email systems only show the From address – so they reply either asking for more details or in some cases starting the process.

Very alert victims may notice the email client now shows a new email address in the “To:” box but this is actually very rare and sophisticated attackers can mask this.

Once the victim responds, the phishers know they have access to a live person who at least partly thinks the request is legitimate and they can begin the second stage of the attack which is an initial transfer of a reasonably small amount of funds (often in the $50 – 100k region).

If this works, the attackers will go all out and generate increasingly urgent, demanding requests to get as much as possible before they are detected.

Security measures

At its core, FinPhishing is just a social engineering attack. This means you need to concentrate on the people involved.

Provide all your workforce security awareness training which emphasises the risks from social engineering attacks.

Ensure anyone working in finance understands what this sort of attack looks like and what to look out for in a phishing email.

If possible configure your mail clients to give as much detail as possible about the message headers.

Establish authorisation processes so that no one can transfer large amounts of money out of your business without solid confirmation – no matter how urgent it may be.

If you are caught by this scam alert your bank and involve the police or law enforcement as quickly as possible. Recovering funds is always going to be difficult, so any delay will just make it worse.

Summary

FinPhishing is cheap, easy and lucrative. This means there is currently little or no incentive for attackers to stop and the low technological requirements mean that even if current attackers are caught and move on, others will fill the gap.

The best, possibly only, defence is to ensure you have robust processes and alert staff. If you do fall victim to an attack, make sure you can react quickly and hopefully you will save your business.

]]>1345Security breaches – do you know what to do next?http://www.halkynconsulting.co.uk/a/2015/07/security-breaches-do-you-know-what-to-do-next/
http://www.halkynconsulting.co.uk/a/2015/07/security-breaches-do-you-know-what-to-do-next/#commentsWed, 22 Jul 2015 22:51:07 +0000http://www.halkynconsulting.co.uk/a/?p=1318One sad fact about security is that no matter what controls you put in place, you will suffer breaches and if you are on the internet it is likely to happen sooner rather than later. People sometimes hold to a “physical world” security model which has a clearly defined threat actor (e.g. a burglar) casing […]

]]>One sad fact about security is that no matter what controls you put in place, you will suffer breaches and if you are on the internet it is likely to happen sooner rather than later.

Anonymous – often linked to security breaches and globally distributed enough that it is hard, if not impossible, to anticipate if, when and how they will attack

People sometimes hold to a “physical world” security model which has a clearly defined threat actor (e.g. a burglar) casing properties in their target area for an eventual break in. if you are unlucky enough to leave a door open on the night they are casing you, you get robbed.

This is a good way of thinking but it is crucial to remember that on the internet, the burglars are worldwide and they are running automated tools which are constantly casing your property to see if there is something they can exploit. This means any momentary lapse (such as not applying a software patch, or changing a configuration setting) can be found by attackers and exploited faster than most people realise. The lesson is simple: Breaches can, and will, happen at any time of the day or night, while you are working, sleeping or on holiday.

This is not saying your security controls are useless – far from it. Without them, the breaches will be more frequent, more damaging and harder to recover from. You do however, have to avoid the mindset that security is putting in place controls and then saying “job done.”

If breaches are inevitable, why do I need controls?

Let’s clear this up first. You need your security controls. You really do.

Security is best delivered by applying layers of controls and constantly striving to maintain and improve them. Good security controls help you with:

Making you a hard enough target that lots of attackers, especially script kiddies, will simply go elsewhere.

Delaying attackers enough that your detection systems will be alerted to their presence.

Collecting enough data to allow you to investigate breaches.

Being adaptive enough to respond to attacks in real time.

If you come from a physical security background, this might be familiar as all security controls have the same basic requirements.

So, breaches happen, what do I need to do?

First off, if you are reading this as a breach happens, it is too late. Sorry. Incident response is all down to planning. If you don’t plan properly, any successful incident response activity is pretty much down to random chance. Secondly, if you handle regulated data such as personal data/PII, credit card data etc., then you need to make sure your plans are acceptable. The advice here is generic and high level.

So, to answer the question:

You need to plan, plan and plan some more. Your plans need to include who is responsible for doing what. Your plans need to cover everything from minor incidents to breaches which put your very companies existence at risk.

Test your plans. This is crucial. Make sure everyone involved knows what they need to do. Make sure the communications channels you have work. Make sure it all works at any time of the night or day. Make sure it works when your key decision makers are unavailable. Then test it all again. And again.

Provide resources for incident response. This isn’t free. If you are a small business with limited internet facing systems you might just be able to get away with an ad-hoc incident response team, but don’t assume a good sysadmin or a good networks person makes a good incident responder. Also remember breaches are stressful. Your incident responders will burn out if you ask them to do too much.

Learn from your mistakes. Just as breaches are inevitable, so are incident response mistakes. You need to be mature enough to analyse your behaviours and learn from what went wrong. Your attackers are constantly improving, you need to do the same.

In practical terms

Responding to breaches – six steps

As part of your plans, you need to be aware of the six high-level steps of incident response (see image), and your processes need to cover each step.

You need to make sure that you have an incident response team who have the right skills and knowledge to do the job. You also need to make sure you resource the team well enough that they aren’t trying to juggle a day job as well as respond to incidents and you have some way to rotate people.

There are no hard and fast rules on how much of your security budget should go on incident response – it really depends on your individual circumstances – but two things are always true. You need a security budget and some of it must be spent on incident response. Don’t fool yourself into thinking anything else is financially sensible or a long term option.

Make sure your incident response team either have the authority to act or the ability to seek this authority at very, very short notice any time of the day or night. The last thing you want is the complete loss of your network because the incident responders didn’t have the authority to pull the plug on an infected machine and couldn’t find the person to who did.

All of this goes a long way to making sure your organisation is resilient enough that an incident can’t kill you. At the end of the day, that is what really matters.

]]>http://www.halkynconsulting.co.uk/a/2015/07/security-breaches-do-you-know-what-to-do-next/feed/21318Halkyn Consulting – Vacation and Course Periodhttp://www.halkynconsulting.co.uk/a/2015/05/halkyn-consulting-vacation-and-course-period/
http://www.halkynconsulting.co.uk/a/2015/05/halkyn-consulting-vacation-and-course-period/#commentsFri, 15 May 2015 20:04:46 +0000http://www.halkynconsulting.co.uk/a/?p=1301As our existing clients may be aware, Halkyn Consulting has entered into a three week period where we maximise our courses and vacation time. During this period we will be unable to respond to new clients but will continue to service existing clients. During this period there will be a delay in our responses and […]

]]>As our existing clients may be aware, Halkyn Consulting has entered into a three week period where we maximise our courses and vacation time. During this period we will be unable to respond to new clients but will continue to service existing clients.

During this period there will be a delay in our responses and we may be unable to provide copies of the ISO27001 checklist as quickly as normal.

]]>http://www.halkynconsulting.co.uk/a/2015/05/halkyn-consulting-vacation-and-course-period/feed/11301Security researchers demo GPU Keyloggerhttp://www.halkynconsulting.co.uk/a/2015/05/security-researchers-demo-gpu-keylogger/
Wed, 13 May 2015 21:17:37 +0000http://www.halkynconsulting.co.uk/a/?p=1297Reported on the Register today, security researchers have demonstrated how malicious code can be run on graphics processors (GPUs) rather than the central processing unit (CPUs) at the heart of a computer: http://www.theregister.co.uk/2015/05/13/graphics_card_malware_gpu_keylogger/

]]>1297Security Patches – Internet Explorer – Act Fasthttp://www.halkynconsulting.co.uk/a/2015/05/security-patches-internet-explorer/
Wed, 13 May 2015 21:06:48 +0000http://www.halkynconsulting.co.uk/a/?p=1289For lots of enterprises, security patches are a pain to test, a pain to deploy and frequently frustrating when they require downtime for the inevitable system reboots. However, security patches are also a significantly important mechanism for protecting your environment against attacks. They really are. This month, Microsoft have announced 13 security patches – three of which are […]

]]>For lots of enterprises, security patches are a pain to test, a pain to deploy and frequently frustrating when they require downtime for the inevitable system reboots.

However, security patches are also a significantly important mechanism for protecting your environment against attacks. They really are.

Security Patches – May 2015

This month, Microsoft have announced 13 security patches – three of which are rated as “critical” by both Microsoft and SANS despite there being no known exploits in the wild.

Unfortunately for lots of organisations, this means that they will downgrade the priority and, in some cases, will delay patching for weeks if not months.

This is a mistake.

On the day security patches are announced, it is rarely clear if exploits are out in the wild. The nature of vulnerability research means that lots of the specifics are kept quiet and often different researchers hit upon the same vulnerability at the same time.

The problem is that it isnt JUST the researchers who find vulnerabilities.

So, on the day the security patch is released, we know that there are “white hat” researchers who can exploit the vulnerability but we dont know if there are any (or how many) nasty “black hat” types have also found it. If Metasploit doesnt have a module for the exploit then we sort of guess its not in the wild, but this is just a guess.

Security Patches – IT Plasters

From here things get worse. As soon as patches are released, the bad guys will be able to start reverse engineering the code and building exploits. Worryingly this can happen an awful lot faster than most IT managers would ever imagine.

It is realistic to assume that within about 24 hours of a security patch being released, high end hackers will have a way of exploiting the vulnerability. Within 48 – 72 hours more will have it and by the end of the first week, exploits will be available to pretty much any malicious hacker who wants it. It might not yet be a metasploit module, but that just means you are safe from the bottom end script kiddies.

Delaying patches is a massive mistake. Check them, test them and get them into the environment as quickly as possible or make sure you fully understand the risks and have some compensating controls in place.

]]>1289Phishing attacks continue to evolve and spread malwarehttp://www.halkynconsulting.co.uk/a/2015/04/phishing-attacks-continue-to-evolve-and-spread-malware/
http://www.halkynconsulting.co.uk/a/2015/04/phishing-attacks-continue-to-evolve-and-spread-malware/#commentsSun, 26 Apr 2015 14:30:04 +0000http://www.halkynconsulting.co.uk/a/?p=1273As most internet users know, phishing attacks are very common. The term itself dates back to 1995 (e.g. AOHell) and social engineering (which is basically what phishing is) goes back as long as we have had societies. At a basic level, phishing is an attempt by a malicious party to get the recipient (victim) to […]

]]>As most internet users know, phishing attacks are very common. The term itself dates back to 1995 (e.g. AOHell) and social engineering (which is basically what phishing is) goes back as long as we have had societies.

Phishing Email – note the detail attempting to give it an air of legitimacy.

At a basic level, phishing is an attempt by a malicious party to get the recipient (victim) to carry out an action. Over the years this has ranged from giving up sensitive details (passwords, credit card details etc) to simply opening a malicious file.

Following on from the success of these attacks, banks and credit card companies have taken significant steps to combat fraud so, now, the majority of phishing attacks look to get you to open a file. Examples include documents such as “invoice.xlsx” or “payment.pdf” type files. These are normally “trojans” which, when opened, will carry out attacks on your operating system directly.

Most of the time, these phishing messages are generated by scripts across multiple languages. Frequently this results in the awkward English which alerts the recipient and forms the brunt of most anti-phishing awareness training.

However, the attackers are always evolving and today our email systems started getting this message:

Dear Sir,

I am trying to call you on phone now to explain to you about the amendment of the invoice as discussed on tuesday but your number is not connecting. regards to our phone call on tuesday afternoon, i have attached to you the profoma invoice for the new order.

You have to know that attached is the amended proforma invoice and design for our shipment, because price in invoice was not our agreement after the confirmation of the order. please you have to confirm that the stated prices are correct.

We expect to receive the shipment of goods within the specified time on this order. kindly give me your confirmation and your profoma for payment arrangement.

As you can see, there is a massive element of legitimacy around the content here, it is able to get through lots of spam filters and it is likely to be convincing enough for a lot of people to open the attached RAR file. (The attached file contains a trojan downloader which can flood the target machine with lots of unwanted additional software).

The bad news here is that the attackers are becoming more advanced in their trickery.

The good news is that they are still quite obvious when you know what to look for and this phishing provides lots of examples to use in your awareness training packages.

Phishing Indicators

Using this email, we can list the key indicators which should make any recipient suspicious enough to look into things further. Some are more technical than others, but all internet users should be aware enough to at least consider there.

The email is unexpected. We have never done business with this organisation, have never given them a phone number, never had a phone call with this organisation and never made an order. Note: the attackers are trying to take advantage of people who might assume someone else in the organisation has made an order. Don’t fall for this.

The email is vague. There are no specifics. The recipient name isn’t used. There is no indication as to what the goods might be. Note: the attackers have to be vague because they don’t know what the target organisation is likely to sell. This is a good clue it is phishing.

The language used is awkward. This is harder for non-native English speakers and should only be a weak indicator of phishing. However, for native English speakers, the grammar and language is very unusual. The first sentence of the middle paragraph is trying to get the recipient to open the attachment, but the language used is unfathomable. Note: Attackers tend to use scripts to generate phishing messages which leads to this weird use of language.

The recipients are hidden. The attacker has used a mailing list of targets but the content implies this should be a very one to one message. It seems unlikely that they would have had the same phone problems with multiple organisations so it makes no sense for this message not to be to a named person. Note: the attackers are trying to mask the size of their mailing list. Any message which is to a hidden list should be treated as suspicous and is almost certainly spam.

The from address doesn’t match the company name. As you can see in the screenshot above, the message appears to come from lima@generalemballage.com but the signature line is empireinternational.com. This is unusual and should make any reader wary of the content. Note: Attackers often have to use hijacked mail relays or compromised accounts which is why the recipient address is often unusual. Always check it.

The URL is wrong. Business Empire International has a web presence and the postal address matches the details given in the email – however it’s website is http://bei.com.pk/ not www.empireinternational.com (which at the time of writing appears to not be in use). This indicates that the scammers may have been gearing up to create a “backstory” website to give credibility, but a google search indicates the correct URL to visit. Note: Phishing counts on people not checking the details, so make sure you do check any emails you are suspicious of.

Finally, a technical check indicates that none of the information presented in the email headers is trustworthy, making the entire message suspicious. Note: it is probably not worth checking every email but learn how to check file headers in your chosen mail client.

The technical details mentioned above are the internet headers (file – > properties in MS Outlook). For this message the key bits were:

This tells us where the message originated and from this, it looks like the phishers had access to a Dedicated Server account hosted in Sweden. It is likely that they have actually compromised a workstation and are using this connection rather than a direct attack on the servers.

Next we look at the from and reply-to fields:From: "Ishmel Zahab "<lima@generalemballage.com>
Date: Sat, 25 Apr 2015 17:03:05 +0800
Reply-To: sales@empireinternational.com
This is a very good indicator of phishing – the from account is a different domain to the reply-to. Attackers often use this to make sure any curious reply messages are captured by them, rather than the person they are impersonating.

The compromised service appears to be cpanel.puniar.com but this doesn’t exist as a web address.

The sender domain claims to be generalemballage.com – which exists but appears to be located in Algeria and Tunisia.

The User ID apparently associated with the outbound email is hrd@puninaryusen.com. This email address is associated with a lot of job adverts in Indonesia.

All of this gives us some useful background into the phishing message. We can, with reasonable confidence, conclude that the hrd@puninaryusen.com email account has been compromised (probably by malware) and is being used to spread more malware via some open mail relays and possibly a compromised mail account owned by generalemballage.com.

It also gives us utmost confidence in deleting the message without ever reading the attachment.

As there are a couple of other organisations who already appear to be compromised by this email, it would be good practice to notify them – however this may be difficult if they don’t have public “abuse” or technical support contacts. As an example, puninaryusen.com doesn’t have a functioning site so may not have any one to respond to the phishing report.

So, in summary, phishing is likely to remain with us as long as people interact with other people. It is important to make sure you (and your employees etc.) remain far enough ahead of what the attackers do that you can spot their methods and understand your systems well enough to realise when someone is trying to trick you.

If they get past your defences, then it is time to roll out the incident response but that is for another day.

]]>http://www.halkynconsulting.co.uk/a/2015/04/phishing-attacks-continue-to-evolve-and-spread-malware/feed/21273Budgets – Security’s friend or foehttp://www.halkynconsulting.co.uk/a/2015/03/budgets-securitys-friend-or-foe/
Mon, 09 Mar 2015 09:55:24 +0000http://www.halkynconsulting.co.uk/a/?p=1250Budgets are integral to every business. The start up’s business plan has to include budgets and the multinational will have an entire finance unit geared around making sure that every year the numbers are crunched, and budgets allocated. At a very fundamental level, a budget allows businesses to grow. It allows them to develop without going […]

]]>Budgets are integral to every business. The start up’s business plan has to include budgets and the multinational will have an entire finance unit geared around making sure that every year the numbers are crunched, and budgets allocated.

Budgets need to be managed properly or security suffers

At a very fundamental level, a budget allows businesses to grow. It allows them to develop without going bankrupt. It mitigates the risks from excessive or wayward employees. Possibly most importantly, budgets can limit financial exposure and ensure that the company can continue to pay dividends.

This is good. This is all good.

This is also essential for business security. Without defined budgets, it is impossible for a company to even know if it is overspending, or taking too much risk, and this seriously undermines security.

Unfortunately budgets frequently develop a life of their own. As organisations grow, so does the budget and so does the complexity. This is where, suddenly, your budget strategy can start to work against you.

For start ups, it isn’t a problem. Most of the time, the financial data will be theoretical and simple. The budget is there to get funding and it is all controlled by one business.

As businesses get bigger, one of the first changes which happens is creating different “business units” or budget categories. This can be hidden under lots of different names (cost centre, billing unit etc), but the effect is the same.

It is easy to see why businesses do this. Having separate budgets for separate functions helps focus spending. It also helps identify weak / strong parts of the business.

The problem is that security is all encompassing but organisations create “security” budgets. This can create a major risk.

When budgets create risk – cutting costs

For most managers with budget responsibility, certain mindsets evolve:

Budgets should be reduced whenever possible, often every year.

Any budget not spent is lost in subsequent years.

Subordinates who come in under-budget get rewarded (but the budget is reduced each year).

Subordinates who increase budget are penalised.

In very basic terms, this makes sense. The idea is that it increases efficiency and rewards innovation. These are good traits.

It also means that business units become very focussed on what “rewards” them specifically and what they have to pay for. This is still good.

Where it goes wrong is when one cost centre realises it can cut costs because any impact will be carried elsewhere. This is a double-whammy for the business itself, not only will the impact be felt somewhere, but the person leading to this gets rewarded.

As mentioned before, security is really everyone’s business but gets parcelled off into its own department. Oddly, IT Security seems to be the worst affected by this, frequently seen as an unwanted part of IT rather than an essential business enabler.

By creating departmental budgets, your organisation may be unwittingly encouraging people to undermine security. Is this really what you want?

Security-damaging budgets – case study

Don’t let budgets dilute the overall cost to your business

In the last two months, Halkyn Consulting has worked with two organisations who have suffered from this. Both encountered costly security issues which arose from the application of discrete budgets. Both had very good security teams, who we assisted in developing improvements. Both could have saved significant amounts of money by not cutting budgets earlier on. Both rewarded the personnel responsible for the savings but had no mechanism to hold them accountable for the costs.

Just to reiterate: Both companies implemented “savings” which led to the overall organisation losing significantly more than they saved.

To explain this, we will use one of the clients as a case study into how budgets can bite.

Case Study: National business services provider.

Our client had a well developed IT infrastructure supporting 24 office locations across the country, a single data centre and a large field sales team. The sales team were entirely reliant on portable devices. The organisation took its security seriously and has a well resourced IT Security team. All is good so far.

The cost of purchasing mobile devices was taken from the regional sales teams budgets. The cost of responding to security incidents was taken from IT Security. The cost of managing security infrastructure was taken from IT Security.

About 24 months ago, a well meaning sales executive saw a way to reduce costs. The sales teams were purchasing “approved” devices which were built to meet the IT Security requirements. It turned out to be a lot cheaper to let users bring their own devices (BYOD) or purchase more basic ones off the shelf.

In all, the sales executive shaved approximately £150,000 off the costs of purchasing assets. This aligned to a major move towards mobile technology and data sharing applications.

The problem was that now, the IT Security team had little or no control over what was happening. Worse than that, the IT Security team had no knowledge of what was happening. The move to BYOD was done in such a way that monitoring was removed and after the first wave of new devices, no one even thought to engage the IT people.

After a few months problems started to occur. Malware was on the rise. Users were falling victim to phishing attacks. Devices containing commercially sensitive data were lost.

In hindsight, the increase security costs in responding to these incidents was assessed to be £170,000 in the first twelve months alone.

Then a pretty nasty bit of malware hit. One of the field sales team was hit with malware. This then sent emails to everyone in his address book and the vast majority of users became infected and started sending outbound spam. Now, the field sales team were, in effect acting as a massive criminal botnet. More than a few users were then hit with ransomware and critical data was encrypted. As a final nail, only now it was discovered that the users with trendy BYOD devices didn’t have centrally managed backups and the data was irretrievably lost.

The final assessment was that in the 24 month period, security incidents had cost the company a total of £385,000 in direct costs and an unknown amount of lost sales.

Because of the company structure, however, the costs were carried by the IT Security department and the savings were carried by the field sales department. The executive who led this change was rewarded with a large bonus 18 months ago and left the company 12 months ago.

The bottom line? The sales executive was rewarded for losing the company over £235,000 simply because the budget structure made it initially look like a saving.

]]>1250Staysure security breach leads to ICO Finehttp://www.halkynconsulting.co.uk/a/2015/03/staysure-security-breach-leads-to-ico-fine/
Mon, 02 Mar 2015 09:00:48 +0000http://www.halkynconsulting.co.uk/a/?p=1243The Information Commissioner’s Office announced on 24 Feb 2015 that it had levied a monetary penalty of £175,000 against the holiday insurance company Staysure. The fine came about as a result of Staysure suffering a security breach on their website which exposed more than 100,000 customer records and led to more than 5,000 customers having their credit […]

]]>The Information Commissioner’s Office announced on 24 Feb 2015 that it had levied a monetary penalty of £175,000 against the holiday insurance company Staysure. The fine came about as a result of Staysure suffering a security breach on their website which exposed more than 100,000 customer records and led to more than 5,000 customers having their credit cards used by fraudsters.

What is really surprising about the ICO investigation – and almost certainly led to the fairly large fine for a private sector body – is the discovery that Staysure had some very serious security failings.

Attackers potentially had access to over 100,000 live credit card details, as well as customers’ medical details. Credit card security numbers, the number on the signature strips on the back of the cards, were also accessible despite industry rules that they should not be stored at all.

The important bit is the last sentence. Staysure have massively failed to comply with the PCI-DSS guidelines and by retaining this data have exposed their customers to monumental risks.

This is bad practice and any security professional would advise against it. In fact it is hard to see how this can be done while still complying with any of Staysure’s IT security policies, until you read further on in the announcement:

The company had no policy or procedures in place to review and update IT security systems, and had twice failed to update database software which could have prevented this incident. This left security flaws in the system, some for as long as five years, which hackers ultimately exploited to gain access to customer information.

So, it seems that despite providing an insurance product, in a heavily regulated industry and handling large amounts of very sensitive personal and financial data for their customers, Staysure failed to implement some basic security controls.

Staysure has been in business for ten years and has been exploited for at least five of them.

Staysure insurance fined for failing to have any security policies.

It is hard to know what the impact to Staysure’s business will be as a result of this breach. It may be minor – beyond the fine- but for any company dealing with customer data this is a massive risk to have carried for so long.

]]>1243Retail security in an online worldhttp://www.halkynconsulting.co.uk/a/2015/02/retail-security-in-an-online-world/
http://www.halkynconsulting.co.uk/a/2015/02/retail-security-in-an-online-world/#commentsSat, 21 Feb 2015 21:23:34 +0000http://www.halkynconsulting.co.uk/a/?p=1225The internet has been changing the world for decades now, and nowhere has this been more obvious than the retail sector. Internet access has opened up new markets, invented new businesses and allowed retailers to grow in ways never before imagined. However, along with this growth, the internet has also shown that retail security needs […]

]]>The internet has been changing the world for decades now, and nowhere has this been more obvious than the retail sector. Internet access has opened up new markets, invented new businesses and allowed retailers to grow in ways never before imagined. However, along with this growth, the internet has also shown that retail security needs to evolve and adapt to keep up.

Retail security – behind a computer, its hard to spot criminals

Earlier this year, we talked about the BRC Retail Crime Survey, which highlighted that retailers in the UK are quite rightly concerned about the security risks they face as they go online. Correctly, the BRC placed a lot of emphasis on the police to investigate crime and arrest criminals, however the basics of retail security really need to be driven by the retailers themselves.

Retail security in an online world needs to follow on from the good practices driven by centuries of experience – shops lock up at night, tills are kept safe, stock is protected – it just needs to adapt.

Retail security – online threats

The first step to adapting is understanding how things are different online. This is important because all too often retailers leave their doors wide open, their tills abandoned and their stock exposed simply because they don’t realise where the walls and doors have move to.

By learning how criminals will leverage the internet, retailers can also learn what they need to do to avoid becoming a victim of crime.

While we can’t cover everything in one blog post – we can look at one common attack which frequently leaves a retailer out of pocket with very little risk to the criminal.

Triangulation attacks

One type of threat which retail security faces in the online world is called a “triangulation attack.”

Retail security threats – triangulation attack workflow.

The way this attack works is quite simple – which is why it presents a growing problem for retail security and can cost businesses dearly.

A criminal gets hold of a stolen credit card. This is surprisingly easy and criminals can either steal them by hacking other retailers or purchase them directly on the black market.

The criminal posts an advert online. Often on eBay, but other second-hand sales portals (such as Craigslist, Facebook marketplace etc) are used. This is normally for a fairly high value item such as the latest iPhone or games console. However, as retail security becomes more aware, criminals are moving to sell less obvious items.

The innocent customer bids or purchases the item. The customer is pretty innocent in all this and normally just thinks they are getting an excellent bargain.

The criminal places the customers order with an innocent retailer. This is where the triangulation begins. Using the stolen credit card, the criminal orders the goods to be shipped to the innocent customer. The customer, however, pays the criminal – normally via a difficult to trace PayPal, Moneygram or Western Union transaction.

The credit card company’s security kicks in. At some point the stolen card will be reported and blocked. Unfortunately this is often after the order has been placed and the innocent retailer has shipped the product. This is one reason why retail security needs to link up with other sectors to function properly.

The bank / card payment company refuse to pay or reclaim funds. For the retailer, this is where it really hurts. Frequently, the retailer has shipped the product when the bank reverse the payment leaving the innocent retailer out of pocket.

Retailer has to make a choice. When a retailer becomes a victim of this scam, they have to decide if they can absorb the loss and move on, or if they are going to try and recover the product from the customer. Having a good retail security policy in place before this happens will help you decide which is best for your business as both options carry costs.

Everyone but the criminal loses out. As a retailer, even if you manage to get the product back from the customer, you will have lost time and money in recovering it and you will have certainly lost a lot of goodwill with the innocent customer. The criminal, however, has made off with the customers money and is likely to be very difficult to trace.

As you can see, for very little effort, the criminal has made a profit and without good retail security measures in place, the retailer and customer have lost out.

A few years ago this sort of attack was pretty much entirely aimed at Amazon, eBay and the likes, however this is no longer true. The big targets have spent massive amounts of money on building anti-fraud teams, retail security specialists and e-crime investigators so the criminals have moved on.

Now, any retailer, in any sector, is at risk.

Dont wait until it is too late and dont rely on the police to lock your doors. Good retail security is the responsibility of every retailer.

]]>http://www.halkynconsulting.co.uk/a/2015/02/retail-security-in-an-online-world/feed/11225ISO27001 Self Assessment Checklist hits record downloadshttp://www.halkynconsulting.co.uk/a/2015/02/iso27001-self-assessment-checklist-record-downloads/
http://www.halkynconsulting.co.uk/a/2015/02/iso27001-self-assessment-checklist-record-downloads/#commentsThu, 19 Feb 2015 10:56:55 +0000http://www.halkynconsulting.co.uk/a/?p=1235The ever popular ISO27001 self assessment checklist is now being downloaded at around 1000 times a month. Since we published it in October 2013, there have been over 13000 copies downloaded and we have provided unprotected versions to over 900 different organisations and individuals. Hopefully this is a sign that security is being taken seriously […]

]]>The ever popular ISO27001 self assessment checklist is now being downloaded at around 1000 times a month. Since we published it in October 2013, there have been over 13000 copies downloaded and we have provided unprotected versions to over 900 different organisations and individuals.

Hopefully this is a sign that security is being taken seriously across the globe! As always, if there is anything your organisation would like advice on, we’d be more than happy to assist.

]]>http://www.halkynconsulting.co.uk/a/2015/02/iso27001-self-assessment-checklist-record-downloads/feed/761235Retail security, business protection, loss reductionhttp://www.halkynconsulting.co.uk/a/2015/01/retail-security-business-protection-loss-reduction/
Tue, 20 Jan 2015 22:21:59 +0000http://www.halkynconsulting.co.uk/a/?p=1200Retail security is in the news again as the British Retail Consortium (BRC) report that crime in this sector has reached a 10 year high. This reporting appears to indicate crime accounts for almost 0.2% of the total sector turnover. As reported by the BBC this includes the possibly obvious activities such as shoplifting, but […]

Retail security is in the news again as the British Retail Consortium (BRC) report that crime in this sector has reached a 10 year high. This reporting appears to indicate crime accounts for almost 0.2% of the total sector turnover.

As reported by the BBC this includes the possibly obvious activities such as shoplifting, but also some more high tech twists as cyber crime and internet fraud are being included.

The summary of this is that crime, in general, presents a fairly significant risk for any retail business, even though the sector itself is quite large:

Crime cost the UK retail industry £603m in the 2013-14 financial year, 18% higher than the previous 12 months, according to new research.

This is the highest level of crime in the retail sector reported since the BRC began keeping records in 2003. For some retailers, especially within the small – medium business sector, the losses incurred by criminal activities outweigh any other operating costs and for all assets stolen the business owner not only loses a sale, but must pay to replace the loss.

For most retailers, crime in this sector is assumed to be mostly shoplifting with jewellers and electronics stores also facing the risk of more obvious robberies.

However, the BRC report also shows that online activity presents a very significant issue for UK retailers and, combined with fraud, this criminal activity has more than made up for a reduction in the traditional methods: (Again, from the BBC News item, emphasis mine)

customer theft made up the bulk of the criminal activity, accounting for 81% of all incidents

retailers reported a total of 135,814 incidents of fraud, up 12% on the previous financial year

there were five robberies per 100 stores in 2013-14, a 29% decrease but the cost per robbery fell only marginally, from £1,316 per incident in 2012-13 to £1,280 per incident in 2013-14

It seems that for every robbery or burglary, there are over 100 fraud cases, driven by online / cyber criminals attacking the business.

This is captured in the Report itself with the following bullet point:

Retailers reported that cyber attacks pose a critical threat to their business.

Retail sector and Cybercrime

It shouldn’t come as a surprise that, as more of the retail sector moves online, so do the criminals targeting this sector. The BRC British Retail Crime report contains this statement:

The majority of retailers reported an increase in cyber attacks in 2013-14 and that they pose a critical threat to their business. These ranged from Denial-of-Service attacks to data theft.

The benefits from being online are significant – from direct engagement with customers to rationalisation of supply chains – so there is genuine value for all retailers to have some sort of presence.

However, as with all business decisions, this needs to be done with a clear understanding of the security risks and what sensible measures should be taken to minimise them. No retail organisation would open a store in a new area without doing at least some research but it seems the rush to get online bypasses this common sense approach.

The retail sector remains vulnerable to cyber attacks

In 2013-2014, the biggest cyber risks to the retail sector came from online fraud – largely credit and debit card fraud, however the report also captures the growing trend in more asymmetric cyber attacks such as denial of service, data theft and ransomware.

Although no major UK retailer has hit the news, in the US cyber attacks in the retail sector have produced massive headlines with Target, Home Depot and many other large chains falling victim.

Unfortunately for most smaller organisations, the internet is a great equaliser. It gives retailers the opportunity to sell their products with the same impact as the big chains.

However this means you face the same risks as the big chains, so can you afford the same security?

Retail cyber security – key risks

Cyber Fraud. Criminals will make fake orders, use fake payment cards and many more malicious tricks to get you to give them things for free. This can be harder to spot than real world fraud so you need to be on your guard.

Customer data. If you collect customer information, such as name & home address, you need to make sure you properly protect it or you could be fined under the Data Protection Act 1998 (with up to £500,000 in fines for a breach).

Credit / debit card data. If you process this yourself, you need to make sure it cant be breached and dont forget this is very, very high value information for hackers.

Cyber vandals. Sometimes you will fall foul to “script kiddies” and other low-level miscreants. This is likely to lead to website defacements or denial of service attacks. Even though these seem trivial, they can become very costly to deal with and cause your business a lot of damage.

Competitors. Still rare in the UK, but the internet gives greater scope, especially in more competitive retail markets, for hard to detect and hard to prosecute corporate espionage.

Customers. Last but not least, there are always risks around what your customers do when they are on your websites or in your retail stores. For lots of businesses it makes sense to offer customers things like free WiFi access, but you need to make sure you have considered the implications – such as a customer using the free WiFi to commit criminal acts. In 2009, for example, a UK pub was fined £8k for allowing a customer to commit a copyright breach.

Retail cyber security – what to do

There is no magic bullet, one-size-fits-all, solution for cyber security, in the retail sector or elsewhere. If anyone claims they can provide this, it is likely to be a scam.

Cyber security is fundamentally the same as the rest of your security. It is about understanding the risks and taking the correct measures to minimise them.

Don’t be put off using the internet for your business. Yes, there are risks, but there are lots of benefits and lots of ways you can protect yourself.

Some things to consider include:

Firewalls

Antivirus

Email filtering

Patch management

Proxy servers for all internet traffic

Network filtering and acceptable use banners for guest/customer services

Robust business continuity planning

Encryption of all sensitive data

Outsourcing payment card processing

Good physical security

Penetration testing for all online applications

No article or blog post is every going to compensate for detailed, specific, expert advice so please make sure you seek out a specialist to make sure what you are doing is sensible and effective.

]]>1200Insider Threat – Apple Employee Jailed and Finedhttp://www.halkynconsulting.co.uk/a/2014/12/insider-threat-apple-employee-jailed-fined/
Tue, 09 Dec 2014 20:39:53 +0000http://www.halkynconsulting.co.uk/a/?p=1185The insider threat is in the news again. On 8 December it was reported that ex-Apple employee, Paul Devine, had been sentenced to jail and a fine following a guilty plea on counts of wire fraud and money laundering . From the news reporting, this trusted insider was involved in providing Apple suppliers with confidential information […]

The insider threat is in the news again. On 8 December it was reported that ex-Apple employee, Paul Devine, had been sentenced to jail and a fine following a guilty plea on counts of wire fraud and money laundering .

From the news reporting, this trusted insider was involved in providing Apple suppliers with confidential information about forthcoming products, which in turn allowed them to establish more favourable deals with Apple.

Apple filed its own civil suit against the insider, charging him with accepting more than $1 million in bribes from at least six supplier companies (as reported by C|Net).

Insider threat and crime

Crime can result in jail for insiders

This situation highlights what is likely to happen when an insider breaks the company policies as well as the law.

Paul was charged with very serious crimes – wire fraud, conspiracy and money laundering – which meant he faced 20 years in prison if found guilty. As a result of this, law enforcement investigative resources were involved and he had a very strong incentive to plead guilty for a lesser charge.

However, it is unlikely that even if Apple gets all $4.5 million of the fine, it will cover the business lost over the 5 years he was providing insider information to suppliers and the costs of the subsequent legal actions.

Insider security breaches can be significantly harmful, even for the most technologically advanced company.

Insider threats and your business

The unfortunate reality is that most insider security breaches are not this high profile, are not this clearly a crime but significantly more harmful to the company involved.

Your trusted workers are the vital lifeblood for your business, they have to know secrets you want to keep from your competitors (or suppliers, or even customers) and this is why the insider threat is so harmful.

When it comes to risk assessments ask yourself how well you would cope if your key employees were cutting deals to get kickbacks from suppliers, customers or even competitors.

Can you cope with this happening?

Would you be able to detect it?

What could you do about it?

Combating the insider threat

There are no simple answers and any action you take to minimise the insider threat has to be driven by your own organisational risk assessments and prevailing circumstances. Your controls should evolve as your business changes and if you are ever in any doubt, specialist advice is available from Halkyn Consulting.

However, in very general terms, there are three things you need to consider in minimising the insider risk:

Pre-employment / Background Screening. Before you hire a new employee you should carry out some checks. As a bare minimum in the UK, you need to verify they have a right to work, but over and above this you should be checking that their application or CV is true and they are who they say they are. For sensitive posts you can consider additional checks into financial probity or criminal records, but this has to be proportionate for the role.

Employee Aftercare. Once you hire someone it is important that your organisation keeps your employees feeling welcome and part of the overall team. Your managers should be alert to the indicators of disaffected or dishonest employees and co-workers should feel able to discuss concerns. Remember, it is in every employees interest that you stay in business.

Monitoring. Employees with access to sensitive or business critical information should be monitored and made aware of this monitoring. As part of your overall security environment, you should consider having audit controls in place to alert you to suspicious events (such as suppliers suddenly taking a hard line, or emails from an employee to a competitor) and a way to track behaviours back to the correct insider.

Of course, none of this guarantees you will be safe from insider breaches, but they do mean you can minimise the risk and maximise your ability to detect and recover from them.

Remember, your employees are your lifeblood but it only takes the poison of one bad insider to kill off your business. Make sure your trust is well placed and remain alert to problems.

]]>1185Employee Security – High risk terminationshttp://www.halkynconsulting.co.uk/a/2014/10/employee-security-high-risk-terminations/
Thu, 23 Oct 2014 21:31:12 +0000http://www.halkynconsulting.co.uk/a/?p=1162Employee security really does matter. Your employees are the lifeblood of every organisation. You put a lot of effort into hiring new staff, you train them, you nurture them and in return you get a massive amount of value. However, like it nor not, there will come a point in time when even your best […]

Employee security really does matter. Your employees are the lifeblood of every organisation. You put a lot of effort into hiring new staff, you train them, you nurture them and in return you get a massive amount of value. However, like it nor not, there will come a point in time when even your best employee goes.

This is when your employee security program gets really tested. Even an amicable departure, where the employee is happily leaving for a new job, retirement or just to live a life of luxury after winning the lottery, carries with it risks for your business.

When the employee is being dismissed things are much worse. If the employee has access to company secrets, or special privileges, then you have a very high risk termination on your hands.

No one ever wants to plan for layoffs, downsizing or employee misconduct but if one of these bad things happens to your business, if you haven’t planned for it, the pain will be significantly greater.

When you dismiss an employee, for whatever reason, everyone involved is in an emotional state. This means mistakes will be made, tempers lost and bad things may happen. Bad things can range from losing data and clients, to acts of violence and vandalism.

You prevent this by having a clearly understood process, documented beforehand and agreed with any unions or employee representation. While this wont make anyone any happier, it does mean you have the best possible chance to minimise any further harm.

Planning your employee security program to cover the whole career of your employees makes much more sense.

Employee Security – the basics

Fundamentally, there are three stages to employee security:

Pre-employment. This is what you do before you hire them. This includes, interviews, reference checks, tests etc. For sensitive posts you should consider BS7858 screening and for sensitive Government work clearances and vetting are likely to be needed.

During employment. Once you employ someone, it is crucial you dont just drop end your employee security at the screening. Make sure employees are engaged and supported by your organisation throughout their career.

Resignation and dismissals. This is the high risk area, the employee is about to leave and no longer has any loyalties or formal obligations. Disgruntled employees may steal or break things, aggressive employees may become violent and even otherwise perfect employees may take company secrets to their new employer.

Employee Security – your plans

Planning your employee security program is essential. Good planning will show your stakeholders your commitment to security and, in the event of a dispute, will provide evidence that your organisation has acted fairly and in a pre-agreed manner. If a dismissal goes to an employment tribunal, following a pre-arranged plan is pretty much essential.

You need to plan for each stage and should look to produce a published policy on employee security, laying out the objectives and reinforcing management commitment to the principles of fairness and security.

From this build in a list of plans for how you will address each of the three stages and what your expectations are.

An example would be documenting what pre-employment checks will take place, who carries them out, how decisions should be made on findings and how long data will be retained for both people offered a job and those turned down.

Employee Security – Resignations and Dismissals

Planning around employee exits is so important, it is suggested that you create several plans depending on the nature of your employees. You need to consider the role of the employee and what assets they have access to as well as the nature of the departure.

At a minimum, your plans must consider the following employee groups:

Employees with access to commercially sensitive information. This includes sales teams, commercial managers, developers etc. It is good practice to ensure Non Disclosure Agreements are in place and the employee is reminded of any obligations on exit.

Employees with privileged access. When it comes to system administrators, key holders and the like, you need to ensure your process fully revokes all access and is able to check that nothing has been subverted before the employee is finally let go. Discovering a problem after they have gone is going to cause you all kinds of pain.

Employees with high value assets. If you have team members who look after large amounts of cash, company cars etc, your plan should document how these are accounted for before the employee leaves.

Additionally, at a minimum, you need to plan for the following types of departure:

Retirement. Here the employee is likely to leave on good terms but you will lose corporate knowledge and should look to capture as much as possible.

Resignation to move to a new line of work. Similar to retirement, the employee is likely to be on good terms but you need to be sure all assets are returned and any commercially sensitive knowledge is protected.

Resignation to move to a competitor. While the employee may be on good terms, there is an increased risk of knowledge theft or the employee looking to access your clients for their new organisation. Ensure all plans include reinforcement of any NDA / Non-Compete agreements.

Dismissal from downsizing / restructuring. The employee is likely to be angry and annoyed at the organisation so efforts should be made to minimise any confrontation or situations which could lead to escalation. In most circumstances, once an employee is notified of a dismissal they should not be expected to continue with productive work.

Dismissal for misconduct. This is the highest risk. The employee is likely to be shocked and angry with a significant tendency to lash out. Your plan should look to minimise stress on all parties, ideally ensuring that the employee is notified by at least two people and once notified, the employee should not be permitted to return to any form of work or retain any company assets.

Planning your security

There is a lot to consider with employee security but it is crucially important to your business.

When you are a new or growing company, frequently taking on new, great, staff, the prospects of dismissal may seem impossibly distant. Unfortunately this is not true and it is a very real event for pretty much every business.

If you plan properly – in advance – when your employees leave everyone will be happier and able to move on. If you fail to plan properly, the outcomes can be catastrophic.

]]>1162Prison Service in NI Warned over Data Breachhttp://www.halkynconsulting.co.uk/a/2014/06/prison-service-ni-warned-data-breach/
Sun, 22 Jun 2014 21:07:15 +0000http://www.halkynconsulting.co.uk/a/?p=1143The prison service in Northern Ireland has been warned by the ICO over another data breach. The ICO press release is available online: http://ico.org.uk/news/latest_news/2014/prison-service-warned-after-maze-records-sold-at-auction-18062014 This incident relates to the Prison Service auctioning off a cabinet containing records from the Maze prison. Interestingly, this breach took place in 2004, when the Northern Ireland Office was responsible, but nothing […]

This incident relates to the Prison Service auctioning off a cabinet containing records from the Maze prison.

Interestingly, this breach took place in 2004, when the Northern Ireland Office was responsible, but nothing was reported at the time. In the end the breach was discovered while the ICO was investigating a Prison Service breach from 2012, which resulted in the Department of Justice being fined.

ICO Assistant Commissioner for Northern Ireland, Ken Macdonald, said:

“This is a story of basic errors and poor procedures, which if the incident happened today would see us issuing a substantial fine.

“The loss of this information represents not only an embarrassing episode for the prison service in Northern Ireland, but a serious breach of the Data Protection Act that could have had damaging repercussions for the individuals affected.

“The incident went unreported for eight years and the same mistakes were allowed to occur. It is only now that we have seen a commitment from the Department of Justice Northern Ireland to tackle these problems and keep people’s information secure.”

Sadly this is a common problem – basic security controls are either not in place or are allowed to be ignored.

At the most fundamental level, the Prison Service (or the Northern Ireland Office in 2004), should have maintained a record of what assets it was responsible for and their locations. This would have prevented the cabinet being sold off at auction.

Failing that, before any assets (information assets, technology or physical products such as cabinets and furniture) are disposed, they absolutely must be checked to ensure no sensitive data is being accidentally leaked.

Hopefully the Prison Service has learned from this, and it should also act as a reminder to all organisations that they should review all asset lifecycle policies to make sure they are suitable.

]]>1143Truecrypt encryption software still available for downloadhttp://www.halkynconsulting.co.uk/a/2014/06/download-truecrypt-still-possible/
Sat, 31 May 2014 23:32:53 +0000http://www.halkynconsulting.co.uk/a/?p=1132It seems that Truecrypt is too popular a tool for people to give up on it and version 7.1a is still available for download. A website has sprung up at truecrypt.ch offering downloads of Truecrypt binaries and source code. The download site appears to have been set up by a Swiss national and provides links […]

]]>It seems that Truecrypt is too popular a tool for people to give up on it and version 7.1a is still available for download.

Download Truecrypt at Truecrypt.ch

A website has sprung up at truecrypt.ch offering downloads of Truecrypt binaries and source code.

The download site appears to have been set up by a Swiss national and provides links to multiplatform version of Truecrypt 7.1a – as well as an archive hosting everything going back to version 1.0 of the software.

Unfortunately the site does not host a download of the source code, but it does link to a GitHub repository with it in.

This is an excellent resource, as truecrypt is a genuinely useful tool for people wishing to keep information private.

There is one important caveat here, however, in that there is no way to confirm the provenance or validity of any software you download from this site. It is not owned by the truecrypt developers and, most people, will not be able to determine if the binaries have been tampered with.

As a result, and this is always good practice, if you opt to download Truecrypt from this site make sure you also check the digital signature (a “hash” value) against something you know to be correct.

The hash values will differ depending on how you generate them but most sites will list a selection. As an example, you can use the following sites to verify the signature of a truecrypt download:

http://truecryptcheck.wordpress.com/

http://video2.golem.de/files/1/8/13138/truecrypt_7.1a_download_und_hashwerte.txt?start=0.00 (note: this site is provided by Truecrypt.ch)

https://defuse.ca/truecrypt-7.1a-hashes.htm

And yes, the third site provides different hashes because it has assessed different versions of the Truecrypt 7.1a binary.

So, in summary, you can still download truecrypt but you need to put a lot more effort into make sure what you get the real thing. If this is important to you, you need to download a different encryption package.

]]>1132Truecrypt encryption software ceases productionhttp://www.halkynconsulting.co.uk/a/2014/05/truecrypt-encryption-software-ceases/
Sat, 31 May 2014 22:50:40 +0000http://www.halkynconsulting.co.uk/a/?p=1116On 28 May 2014, the developers of the reasonably infamous encryption software Truecrypt apparently announced that the program was over and that the risk of security weaknesses meant people should stop using it. Since this announcement, the Truecrypt website at http://truecrypt.org now redirects to the Sourceforce page (http://truecrypt.sourceforge.net/) which reports that development ended in “5/2014” following Microsoft […]

]]>On 28 May 2014, the developers of the reasonably infamous encryption software Truecrypt apparently announced that the program was over and that the risk of security weaknesses meant people should stop using it.

Since this announcement, the Truecrypt website at http://truecrypt.org now redirects to the Sourceforce page (http://truecrypt.sourceforge.net/) which reports that development ended in “5/2014” following Microsoft moving Windows XP out of support.

It also contains an ominous warning:

WARNING: Using TrueCrypt is not secure as it may contain unfixed security issues

(screenshot of the page below)

Truecrypt notifies the world it is over

Taken at face value, this is certainly a shame for millions of users across the world. Truecrypt, although never a profitable bit of software, has been used by countless reporters, dissidents and others wishing to protect their sensitive & private data. We frequently recommend Truecrypt to personal users and the only thing preventing it being an enterprise class tool was the lack of centralised management.

Most famously, Truecrypt was used by Edward Snowden and the journalist Glenn Grenwald to protect the NSA reports Snowden was trying to make public. Snowden’s continued use of Truecrypt has been taken by many to imply that the NSA hadn’t been able to compromise its encryption technology.

Unusually, as part of its closure notice, Truecrypt is encouraging users to migrate to Bitlocker (on Windows platforms), a whole disk encryption tool. This is only available to Ultimate, Pro and Enterprise licence holders, preventing this being an option for most non-Enterprise users.

Additionally, while it provides whole disk encryption, Bitlocker is not an exact alternative for Truecrypt as it lacks the following:

For some people, the ultimate issue is that Bitlocker is provided by Microsoft and there have long been accusations that backdoors or other covert accesses have been established to allow the US Government / Law Enforcement the ability to decrypt data. This has never been proven and is frequently denied by Microsoft. Bitlocker does have an option to place the encryption key in Escrow which may have led to these worries, but this is not mandatory.

As a result of the Snowden / NSA leaks casting doubt about a lot of security products, a crowdfunded audit of Truecrypt was set up. This produced its first set of reports on 14 April which found a total of 11 vulnerabilities, of which four were medium, four were low and three were informational-only (full copy of the report is available online).

If you have ever had any software, especially a complex one, audited & tested, you will agree this is a very positive set of findings and the report concludes that the bugs appear to be the result of code errors rather than intentional backdoors or malicious activity.

While a follow up report is due in the second half of 2014, overall this audit appears to be saying that Truecrypt version 7.1a is an acceptable product.

Truecrypt site – dire warnings and a new version

The audit findings and the warning notice on the Truecrypt page are actually pretty compatible. The notice says it may contain unfixed security issues and, assuming the developers never intend to change another line of code this is true.

Bugs in software sometimes only come to light years after they were coded (Heartbleed is a good example of this) and if the developers are planning to retire from this project, then any future bugs will not only remain unfixed but may be backwards compatible enough to compromise data containers people create today.

However, the unusual thing here is that the site also provides a “new” version of Truecrypt (version 7.2) to enable users to decrypt their containers and migrate to Bitlocker (or their chosen encryption tool). This makes sense in the context that someone might find an encrypted container in the future and have no other way of accessing the data.

So, What happened to Truecrypt, and what is the future?

Without Truecrypt, selecting encryption software is a lot harder.

At the moment, the short answer is “Nobody except the developers really know.”

The way the development ended has, unsurprisingly, stirred up huge amounts of theories ranging from it being sulky pout when the developers realised that they were getting very little in the way of donations but the audit project exceeded its crowdfunding goals – to the conspiracy theories that this is a “canary” warning Truecrypt users that they have been subjected to something similar to a National Security Letter by the US Government, forcing them to hand over secrets which compromise the software.

With this notification, the development teams have pulled the binaries and source code bundles for all the older versions of Truecrypt, meaning the hobbled version 7.2 is the only one you can get now. This version will not allow you to create new encrypted containers and is simply there to help you migrate to a different platform.

Unfortunately there doesn’t seem to be one that currently matches the feature set of Truecrypt so, for most people, this will mean moving to a variety of tools.

As a brief checklist for home users / small businesses you might want to consider the following:

Something which provides you with whole disk encryption. This is essential for portable devices (laptops) and prevents people accessing your data if they steal your device.

Something which allows you to encrypt files or folders and move them on portable devices. This means you can create an encrypted object and move it from one place to another on portable devices such as USB sticks.

Something which works the same on all the platforms you use. This is essential if you have more than one operating system – such as Windows and Apple devices.

Something which allows plausible deniability. This means if you are ever threatened with violence or punishment, you can surrender one key and still protect the important data.

Unfortunately this can be a very complicated topic and we aren’t in a position to make blanket recommendations in a blog post. The choice of encryption tools will depend very heavily on your personal circumstances and reasons for protecting the data.

]]>1116Physical security is important for data protectionhttp://www.halkynconsulting.co.uk/a/2014/03/physical-security-data-protection/
Sun, 23 Mar 2014 20:56:29 +0000http://www.halkynconsulting.co.uk/a/?p=1081Physical security has always been a cornerstone of any Information Security program. As a topic, it is covered by every major security standard. Most have entire sections dedicated to physical security: ISO27001:2013 has A.11 “Physical and Environmental Controls“ The SoGP has CF3.3 “Sensitive Physical Information” and CF19 “Physical and Environmental Security” PCI-DSS Requirement 9 mandates […]

Physical security has always been a cornerstone of any Information Security program. As a topic, it is covered by every major security standard. Most have entire sections dedicated to physical security:

ISO27001:2013 has A.11 “Physical and Environmental Controls“

The SoGP has CF3.3 “Sensitive Physical Information” and CF19 “Physical and Environmental Security”

Despite this, controls are still being neglected. Private sector organisations and government agencies spend fortunes on security, but then compromise it by missing out physical controls.

What makes this stranger is that most physical security controls are cheap and easy to implement. Maybe it is just they aren’t flashy and aren’t normally excitingly high-tech. Good security controls just work.

The perils of ignoring physical security

The Information Commissioner’s Office (ICO) has been busy enforcing the Data Protection Act this month, with a couple of actions being directly down to poor physical security practices.

First, on 13 March 2014, the ICO announced that it had issued an enforcement notice on Neath Care, with the following message:

[Neath Care] has been found in breach of the Data Protection Act after the files of 10 vulnerable and elderly people were found on a street in Neath Port Talbot.

It appears that the care agency failed to implement basic physical security controls such as asset management, monitoring and transport. This led to an employee taking the documents out of the office, dropping them and not realising until a member of the public reported it.

Often organisations have excellent controls around the expensive things (e.g. computers, laptops) but then forget everyone once the data has come off the printer. It seems unlikely that an employee would leave a laptop on the pavement and not notice.

When handling sensitive data, organisations should have a comprehensive security strategy which includes handling, and accounting for, paper copies. All employees should be made aware of this and, as always, records must be kept.

The next breach of interest was reported by the ICO in a 19 March announcement. This time it was serious enough that Kent Police were fined £100,000. This was quite a shocking example of how people can forget to track old, low-financial-value physical assets:

The Information Commissioner’s Office has served a monetary penalty of £100,000 on Kent Police after confidential information, including copies of police interview tapes, was left in the basement of a former police station.

The highly sensitive information included records relating back to the 1980s, thought to have been left at the site when the building was vacated in July 2009.

The information was discovered when a police officer was visiting a business owner about an unrelated matter on 27 November 2012 and noticed a pile of tapes with the logo of Kent Police stuck on them. The business owner confirmed that he had found the tapes in the basement of the old police station, after purchasing the site two months before, and was planning on watching them for entertainment.

It is almost certain that none of the officers or staff abandoned these tapes on purpose. It is almost certain that the business owner took them with malicious intent. However, the breach still happened.

Most people will agree that police interview tapes are pretty sensitive affairs. The officers will be asking questions about crimes, possibly including otherwise unreported information, and the interviewee will be providing information they may not expect anyone else to hear.

Given that these tapes may have ended up being used as evidence, it seems strange that they weren’t properly accounted for when the station moved offices. The problem is often that boring, “old-fashioned,” equipment is frequently overlooked when people concentrate on the modern equivalents.

The ICO’s Head of Enforcement sums it up well:

How a police force could leave such information unattended in a basement for several years is difficult to understand.

Ultimately, this breach was a result of a clear lack of oversight, information governance and guidance from Kent Police which led to sensitive information being abandoned.

Good information governance has to include good physical security controls – the most basic of which is making sure you know where your assets are. Anything else is basically asking for a breach.

Physical security underpins everything

This is the crucial point. Good physical security controls are so important that, without them, all your other controls are undermined to the degree that they may become pointless.

Good physical security controls are cheap – in the two cases here, a simple asset register would have saved both organisations – and easy to implement. They don’t make headline news, they don’t get people exited on twitter, they don’t come with flashy vendor presentations, but they do work. Isn’t that what actually matters?

In addition to this form, our security resources area has a selection of other tools you can use to assess, understand and improve your physical security controls.

As part of our commitment to improving security awareness in general, if there is a specific tool you cant find but think would help people then please get in touch and we will see if we can help you out.

Remember – all good security builds on good physical security controls.

]]>1081DPA Registration is important if you want to avoid a finehttp://www.halkynconsulting.co.uk/a/2014/03/dpa-registration-important/
Wed, 12 Mar 2014 20:55:18 +0000http://www.halkynconsulting.co.uk/a/?p=1070Here in the UK, the Data Protection Act (DPA) has been law for 14 years now (the act is dated 1998 and commenced in 2000). Despite this, there are some organisations who are not aware of their obligations to comply, even when it is clear they are handling data which would be protected under the […]

Here in the UK, the Data Protection Act (DPA) has been law for 14 years now (the act is dated 1998 and commenced in 2000). Despite this, there are some organisations who are not aware of their obligations to comply, even when it is clear they are handling data which would be protected under the act.

On 11 March, the Information Commissioner’s Office (ICO) announced another fine for a DPA breach, and as with so many cases before it, this was easily avoidable. When it comes to the DPA, very small amounts of preparation really can make a difference.

The latest DPA fine was levied against a Cardiff-based company providing “green deals” energy assessments called Becoming Green (UK) Ltd.

The offence was uncovered when the company was being monitored following concerns about compliance. An ICO case worker noticed Mr Muhith [Green Deal(UK) Ltd’s company director] had not registered the company with the ICO. As Becoming Green (UK) Ltd processed customers’ personal data this was a breach of the DPA.

As a result of this failing, the company director, Mr Abdul Muhith, was fined £597 personally. The company was also fined an additional £597. Although not covered in the ICO press release, other reporting (the Mirror, online) on the company implies that the ICO was investigating as a result of Green Deal Ltd (a previous company run by Mr Muhith) using inmates at an open-prison to run telesales. This behaviour is likely to be seen as putting DPA regulated personal data at risk, justifying ICO involvement.

DPA Registration – what should have happened

As always, we can only work on the published information but it seems that this is a very clear cut example of spending £35 to prevent a £1194 fine. It is especially strange that a company already under the ICO spotlight didn’t take measures to ensure DPA compliance.

The DPA can seem daunting to some people, but the ICO provides a lot of free guidance (or you can engage specialist consultants to help ensure compliance) to help businesses determine what they need to do.

If you aren’t sure if you need to register under the DPA, the ICO website provides a self-assessment tool. This has very simple question sets and helps you quickly work out your obligations.

Should you need to register, this can also be done online and costs £35 a year to maintain. If you decide to risk it and not register, remember you need to last 35 years without being caught before it becomes cost effective…

Basically, registration under the DPA is simple, cheap, easy and a legal obligation. Failing to do so is madness.

]]>1070Security logs can save your systems and datahttp://www.halkynconsulting.co.uk/a/2014/02/security-logs-can-save-you/
Fri, 28 Feb 2014 20:57:54 +0000http://www.halkynconsulting.co.uk/a/?p=1050It goes without saying that security logs are not the most interesting of topics. They are often viewed as a necessary evil, and in some instances they are even minimised to prevent storage or bandwidth issues. Both of these approaches are wrong. Boring or not, security logs are one of, if not the, the most […]

]]>It goes without saying that security logs are not the most interesting of topics. They are often viewed as a necessary evil, and in some instances they are even minimised to prevent storage or bandwidth issues.

Security logs aren’t interesting but they are very important.

Both of these approaches are wrong.

Boring or not, security logs are one of, if not the, the most fundamental aspects of your IT security controls. Without good security logs you don’t even know if your system has been breached, let alone what you need to do about it.

Logging is so fundamental to security that most of the time, you have to make a concious effort to turn it off. For most people, the hard part is actually just deciding on how much they want to store.

Unfortunately, even if you are sensible enough to have good logging turned on, there is one extra little step you need to take. Monitor the logs.

In January 2014, the US luxury department store Neiman Marcus announced it had been subjected to a major security breach (as reported by Krebs on Security) which may have compromised significant numbers of customer credit cards, charge cards and store cards. Some reports have stated that of the breached cards, over 9000 have been used fraudulently since the attack and this has fuelled significant debate over how it could have been prevented.

Based on a report published in February 2014, it seems the answer is actually – security logs. Bloomberg’s BusinessWeek reported an except from the post-incident forensic investigation stating:

The company’s centralized security system, which logged activity on its network, flagged the anomalous behavior of a malicious software program—although it didn’t recognize the code itself as malicious, or expunge it, according to the report.

So far, this is good news. Security logs capturing unexpected behaviour is a good thing and exactly how you would expect a SIEM system to work.

However, things didn’t go as well as it should have:

The system’s ability to automatically block the suspicious activity it flagged was turned off because it would have hampered maintenance, such as patching security holes, the investigators noted.

This is the first major problem people face with security logs and event monitoring. Too often they are perceived as getting in the way of business and turned off…

In all, the report by Protivi mentions 59,746 security alerts that were ignored or suppressed for one reason or another.

We are not saying that security logs alone would have defeated the attack here. However, if someone at Neiman Marcus had been alerted to the malicious activity, they could have done something. Instead, thanks to suppressed or ignored logs, the attack went through.

Security logs – what should you do?

Good security logs and good log management is critical for security. Top tips for implementing this are:

Collect as many logs as possible. Hard disk space is cheap. Turn on all logging and store the logs as long as your business can justify. This really cant be overstated. Collect logs. If you have security logs you can be alerted to incidents and you can investigate. If you didn’t collect the logs you can never create them. Whatever you do, make sure you collect logs.

Correlate the logs. You can do this with software or by “hand”. Correlation means having a way to know how one log entry relates to another.

Set up alerting. No human being will ever pay proper attention to log files themselves. Even if you find one who does, software will be faster, cheaper and work 24/7.

Fine tune your alerting. All logging creates false positives and false negatives. Tune the alerting until you get the right balance. Only you will know how important false positives are, so we cant tell you how to tune. We can tell you that you should tune. If you dont, your logs will swamp you. Just dont tune too much, otherwise you miss important things.

Respond to your alerts. This is why tuning matters. Once you have tuned your system, alerts are important. If development or business processes generate alerts, fix the problem, dont suppress the alert. If you find yourself ignoring alerts, you’ve got something wrong.

Logging really is important. Security logs tell you what is happening on your network and support incident response. If you dont log, you are blind. If you dont enable logging before you get hacked it is too late for you.

Just as important, and as Neiman Marcus has shown, is actually paying attention to the alerts your security logs generate.

Security is important to every business, not just technology or government workers. Retail organisations are increasingly targeted by hackers and criminals and security threats are evolving. It is no longer possible to assume that because you work in an unregulated environment, security doesn’t matter. Security does matter, so make sure you do it properly.

]]>1050City of London Police – updatehttp://www.halkynconsulting.co.uk/a/2014/02/city-of-london-police-update/
Sat, 01 Feb 2014 16:13:48 +0000http://www.halkynconsulting.co.uk/a/?p=1036As part of the cross-sector safety and security communications plan, the City of London police have announced today some significant changes being made to reinforce the ring of steel around the Square Mile. City of London Police: Ring of steel just got tougher New tactics, new tools and new technology will be launched in February […]

]]>As part of the cross-sector safety and security communications plan, the City of London police have announced today some significant changes being made to reinforce the ring of steel around the Square Mile.

City of London Police: Ring of steel just got tougher

Mounted Officer – City of London Police. Photo by William Warby

New tactics, new tools and new technology will be launched in February to help protect the Square Mile from the threat of terrorism and wider crime.

New tactics: Following a successful pilot scheme towards the end of 2012 and further refinements throughout last year, a new, multi-layered approach to deter hostile reconnaissance throughout the City will be adopted as ‘business as usual’ from 10 February under the new name of Project Servator.

The new policing tactics involve replacing the old-style, single staffed entry points with highly visible deployments that can occur anywhere in the City at any time and draw on a range of varying resources including specially trained overt and plain-clothed officers, marked and unmarked vehicles, cycles, horses and dogs and other measures that may not be visible including CCTV.

This activity will be supported by officers trained to engage with and reassure visitors and the local community who also have an important role to play by reporting any suspicious behaviour and explaining to their staff and customers about the nature of the operations.

New tools and technology: In-car Automatic Number Plate Recognition (ANPR) and video systems have been fitted to 22 marked police vehicles and new, back office, software will ensure that all intelligence can be produced more efficiently and used in a more targeted way. Months of extensive trials are now complete and the new system goes live in February. ​​​​​​​​​​​

​​​​​​​​This significant capital spend will bring important benefits to officers working out on the streets. ​

​​​​​​​Commander Operations, City of London Police, Wayne Chance, said:

“Protecting the City as a global financial centre remains a key priority for the City of London Police and, as the nature of the threat evolves, deterrence and detection measures need to develop accordingly.”

​​”As a force, we are the pioneers of a new approach to policing that aims to deter and detect criminal and terrorist activity, as well as to reassure the general public.”

​​​”These new tactics, coupled with the new technology and tools to support our officers out on the street, will mean a more enhanced and strategic approach to protecting the Square Mile and is part of our drive to deploy our resources more effectively and more intelligently.”

]]>1036Data protection needs good physical securityhttp://www.halkynconsulting.co.uk/a/2014/01/data-protection-physical-security/
Thu, 30 Jan 2014 22:11:16 +0000http://www.halkynconsulting.co.uk/a/?p=1022Data protection is frequently in the news as organisations more become aware of just how important it is to their business. Unfortunately all too often data protection measures focus on the technical aspects, overlooking the basic need for good physical security controls. Technical controls, such as encryption & access management are important for data protection […]

Data protection is frequently in the news as organisations more become aware of just how important it is to their business. Unfortunately all too often data protection measures focus on the technical aspects, overlooking the basic need for good physical security controls.

Technical controls, such as encryption & access management are important for data protection but they need to build on good physical security.

Security is all about providing layers of protection. If you ignore or weaken one layer, you weaken everything. If you don’t protect your physical assets, you are’t providing proper data protection measures.

The multinational Coca-Cola recently discovered the importance of asset protection when it reported the compromise of 74,000 people’s data (as reported by Techworld):

Coca-Cola has admitted falling prey to bizarre slow-motion data breach in which an employee apparently stole dozens of laptops over several years containing the sensitive data of 74,000 people without anyone noticing.

According to the reporting, over a six year period, a former employee removed 55 laptops containing a mix of employee records. The data put at risk included information such as social security numbers and may have had significant market value.

An interesting twist here is: (from the same article)

The mystery of how the laptops disappeared is almost as strange as the fact that they later reappeared, allowing the breach to be characterised as temporary.

It seems the laptops were not being stolen for their resale value. This does raise the question about what the previous employee was looking to do with them.

Data protection – asset control

When we talk about temporary breaches on network assets, we normally mean that there hasn’t been time or evidence that a hacker got in and stole data. This gives some reassurance to the data subjects and helps narrow down process and policy failures.

In this example it may not be so reassuring.

The “missing” laptops were not encrypted. This means the whole time they were out of Coca-Cola’s control anyone could have extracted any of the personal data on them. It only takes a few minutes to copy thousands of files to USB so it would have been possible for every record here to have been copied thousands of times.

Importantly, the apparent total lack of any form of asset control here means it isn’t really possible for Coca-Cola to know how long they were missing. The available reporting indicates that if they hadn’t returned, no one would have even realised the breach took place.

Asset control is a pretty fundamental aspect of both good service management and good security. It is not just a “Physical Security” issue that IT teams can pass off to the site security teams, it is a fundamental requirement. If you don’t manage all your assets properly, all your other controls suffer.

ISO27002:2013 spells out the requirement for asset control in 8.1:

Assets associated with information and information processing facilities should be identified and an inventory of these assets should be drawn up and maintained.

It seems in this instance, the inventory either did not exist or it was not maintained. Without a well maintained asset list you can never be sure that other controls are working. In this case, if Coca-Cola had kept an inventory, it could have identified the lack of encryption.

]]>1022127.0.0.1 redirect causing wordpress connectivity problems.http://www.halkynconsulting.co.uk/a/2013/12/127-0-0-1-redirect-causing-wordpress-connectivity-problems/
http://www.halkynconsulting.co.uk/a/2013/12/127-0-0-1-redirect-causing-wordpress-connectivity-problems/#commentsMon, 30 Dec 2013 20:12:49 +0000http://www.halkynconsulting.co.uk/a/?p=1012There seems to be a problem with either WordPress or one of its plugins that is redirecting the login script to a non-existent listener on local host (127.0.0.1). At the moment we have implemented a work-around, but any contributors may have difficulty logging in. A quick google search shows that this is happening to other […]

There seems to be a problem with either WordPress or one of its plugins that is redirecting the login script to a non-existent listener on local host (127.0.0.1). At the moment we have implemented a work-around, but any contributors may have difficulty logging in. A quick google search shows that this is happening to other users so hopefully we can resolve it soon.

]]>http://www.halkynconsulting.co.uk/a/2013/12/127-0-0-1-redirect-causing-wordpress-connectivity-problems/feed/11012December DPA Breach Fineshttp://www.halkynconsulting.co.uk/a/2013/12/december-dpa-breach-fines/
Mon, 30 Dec 2013 20:07:14 +0000http://www.halkynconsulting.co.uk/a/?p=1001The run up to Christmas 2013 has shown that the Information Commissioners Office is still busy fining organisations and individuals for breaches of the Data Protection Act (DPA). In December two new civil monetary penalties were issued with a total of over £175,000. Both cases highlighted the value of being proactive and implementing good security […]

The run up to Christmas 2013 has shown that the Information Commissioners Office is still busy fining organisations and individuals for breaches of the Data Protection Act (DPA). In December two new civil monetary penalties were issued with a total of over £175,000. Both cases highlighted the value of being proactive and implementing good security controls in advance of a DPA breach, albeit in two very different ways.

Unusually, December saw one of the rare instances where the ICO levied a DPA fine (albeit a small one) against an individual working in the health sector. The second item was a much more significant penalty for a payday loans firm. This is less surprising as several organisations in that sector appear to operate as if regulations don’t apply.

DPA Fine for GP Surgery Manager

Early in December, the ICO announced the outcome of a case against a former-GP surgery’s finance manager who pleaded guilty to unlawfully accessing patient medical records on over 2000 occasions.

Discussing the DPA breach, the ICO Head of Enforcement, Stephen Eckersley, said:

We may never know why Steven Tennison decided to break the law by snooping on hundreds of patients’ medical records. What we do know is that he’d received data training and knew he was breaking the law, but continued to access highly sensitive information over a 14-month period.

As a result of this activity, Mr Tennison was fined a total of £996 and ordered to pay a £99 victim surcharge and £250 prosecution costs.

In this case, the GP’ surgery appears to have functioning detective controls which allowed them to identify Mr Tennison’s unlawful behaviour and provide sufficient evidence to the ICO to avoid suffering any sanctions themselves.

We have discussed issues around the insider threat (and the importance of pre-employment screening) before, but the sad fact is even the most trusted employees can go off the rails. What has worked here, and helped the Surgery remain compliant with the DPA, is that there were correct processes and policies in place.

This is a very good example of the benefits of investing in proper security processes before a breach happens. For organisations within the health sector, the alternative tends to be a hefty fine from the ICO, or worse:

The ICO continues to call for more effective deterrent sentences, including the threat of prison, to be available to the courts to stop the unlawful use of personal information.

The other case from December centred on the marketing tactics of a Payday Loans firm which breached the Privacy and Electronic Communications Regulations rather than the DPA directly.

The company, First Financial, and it’s director had been fined over £1000 each in October for DPA breaches (failing to register) although it seems that this wasn’t enough to help them avoid falling into the ICO’s clutches a second time.

This time, the £175,000 penalty followed over 4000 complaints that First Financial were sending out unsolicited text messages to people. These messages purported to be from friends and encouraged the recipient to take out a very high interest loan.

Commenting on the company, and the director’s behaviour, Simon Entwisle, said:

People are fed up with this menace and they are not willing to be bombarded with nuisance calls and text messages at all times of the day trying to get them to sign up to high interest loans. The fact that this individual tried to distance himself from the unlawful activities of his company shows the kind of individuals we’re dealing with here.

We will continue to target these companies that continue to blight the daily lives of people across the UK. We are also currently speaking with the government to get the legal bar lowered, allowing us to take action at a much earlier stage.

In this instance, the company were trying to hide their tracks by using un-registered SIM cards to send the messages indicating that this was a blatant deliberate violation of the DPA / PECR rather than ignorance of the law.

While it is unlikely that the director of First Financial would have been willing to implement good security controls to comply with the DPA, the fact is any organisation involved in direct marketing risks allowing this sort of behaviour. Without security controls, breaching the DPA / PECR can result in extensive fines undermining any profit made and risking a collapse of the business.

Good security and governance controls would have enabled First Financial to identify the risky behaviours in advance giving them the opportunity to remain legally compliant while still driving the business forward.

It is a shame that so many organisations believe they need to play fast and loose with the regulations rather than working to succeed in a legal and compliant manner. As long as this behaviour continues, the ICO (and others) will push for harsher and harsher penalties. In anything but the very shortest term, businesses which need to cheat the law to make a profit are doomed to fail.

Security and Governance controls really do protect the business and help it thrive in any environment.

]]>1001Business continuity – 5 things to consider this winterhttp://www.halkynconsulting.co.uk/a/2013/11/business-continuity-5-things/
Fri, 01 Nov 2013 15:27:15 +0000http://www.halkynconsulting.co.uk/a/?p=984In the northern hemisphere at least, winter is now upon us and this is time for all business owners to think about how well their business can cope if the weather turns bad. In the UK, we have had a succession of very bad winters and all size of organisations have suffered. In 2009, the […]

In the northern hemisphere at least, winter is now upon us and this is time for all business owners to think about how well their business can cope if the weather turns bad. In the UK, we have had a succession of very bad winters and all size of organisations have suffered. In 2009, the snow is reported to have cost UK business in excess of £1bn. This rose to £6bn over the winter of 2010 and in the long winter of 2012/2013 businesses reported lost £500m a day.

Now, obviously these numbers include huge losses suffered by major organisations, but for most small to medium enterprises there was noticeable pain. The Federation of Small Businesses reported that in March 2013 alone, the snowfall cost small businesses an average of £1,580 and an average of 2.2 days trading were lost. For some, another bad winter might be enough to put them out of business entirely.

However, it doesn’t have to be this way.

Sensible business practices and a view to ensuring “business continuity” is in place can mitigate most, if not all, the problems associated with bad weather conditions.

This doesn’t mean you need to go through a full blown BS25999 / ISO22301 process and produce reams of documents covering what your business will do if there is a volcano or aliens invade. However it does mean you should take a good look at your business and see what you would need to do in the event of a problem. As the saying goes, failing to plan is planning to fail and if your business is important to you, you should plan to keep it going.

Five key steps to protecting your business

At a very high level, there are five steps you can walk through to make sure you have considered the most likely and most relevant issues in protecting your business.

Location. Think about where your business is located – not just your head office, but any important sales locations, warehouses, depots etc. For example: If you are on a flood plain, you need to anticipate being flooded. Once you have a good understanding of this, you will have a clearer idea of what risks your business faces.

Services. Next you need to consider what services are essential to your day to day running. Can your business function if the telephone lines go down? Do you depend on an internet connection for all your activities? Do you have your own electricity generators? Can your offices remain open if the water mains burst? When you identify what is important you can begin to plan how your business will react to likely problems.

Supply Chain. Once you are happy with your location and services, you need to consider what impact supply chain problems will have on your day to day operations. If you have “Just in Time” supply strategy, you need to know you can cope if your suppliers are unable to deliver. A lot of this may highlight a need to check supplier contracts and carry out robust assessments of your suppliers.

Workforce. It may seem obvious, but making sure your employees and contractors can do the job you are paying them to do is often overlooked. It may seem strange to do this after the earlier steps but this doesn’t indicate it is less important. Once you understand the risks your business faces and what you will need to do to keep office locations / warehouses (etc.) open, you will have a clearer idea of how best to manage your workers. Things to consider include allowing your workforce to work from home or arranging a way of getting people to alternative locations. All of this must be driven by your business needs and planning ahead gives you the greatest chance of getting it right.

Infrastructure. The last in our list of high level concerns is the impact any infrastructure problems might have on your plans. By now you should have an idea of what risks your locations face, what services are required and where you need your suppliers and workforce. From this, you can now get a picture of what problems with national and local infrastructure may impact your business. Here you need to consider things like your employees ability to get to the locations – in the March 2013 snowfalls lots of roads and train routes were closed and this can significantly impact your plans to send employees to remote locations. Ideally you should try to make sure your business continuity plans are not reliant on vulnerable routes. Additionally, you should consider how infrastructure issues will impact your customers – if you rely on an out of town sales location, consider how you can cope if snow cuts off the access roads for a couple of days.

When you have gone through each of the five steps, you will have an excellent idea of how your business can be impacted by unexpected situations. This doesn’t mean you can sit back and relax – now you need to make sure your business continuity plans make sense, address the issues and, most importantly, actually work.

In an ideal world, you will test your business continuity plans by playing out every possible scenario in real time, moving your employees around. However, for most small businesses this is overkill and will actually cause more harm than it will prevent.

This is no excuse, though, to not sit down with key members of your organisation and talk through the plan, looking for problems and challenging assumptions. This approach allows you to cover off dozens of situations for almost no cost – just a bit of time.

No one can really predict the future and the weather remains as unpredictable now as it was 2000 years ago but there is no excuse for not planning to keep your business up and running. Good planning can, for small businesses, be the difference between success and failure. Even if we have the mildest winter on record, it isn’t a waste of time.

If you want to know more about this, please get in touch and our security consultants will help you build a tailor-made business continuity plan and then work with you to make sure it is robust and tested.

]]>984ISO27001 compliance checklist available for downloadhttp://www.halkynconsulting.co.uk/a/2013/10/iso27001-compliance-checklist/
http://www.halkynconsulting.co.uk/a/2013/10/iso27001-compliance-checklist/#commentsFri, 25 Oct 2013 20:42:30 +0000http://www.halkynconsulting.co.uk/a/?p=961As mentioned previously, we have now uploaded our ISO 27001 (also known as ISO/IEC 27001:2013) compliance checklist and it is available for free download. Please feel free to grab a copy and share it with anyone you think would benefit. Designed to assist you in assessing your compliance, the checklist is not a replacement for […]

As mentioned previously, we have now uploaded our ISO 27001 (also known as ISO/IEC 27001:2013) compliance checklist and it is available for free download. Please feel free to grab a copy and share it with anyone you think would benefit.

Designed to assist you in assessing your compliance, the checklist is not a replacement for a formal audit and shouldn’t be used as evidence of compliance. However, this checklist can assist you, or your security professionals:

to assess your current security measures in a structured way;

to make sure you that have looked at all the relevant controls;

to identify areas where your current controls are strong and areas where you can achieve improvements;

to achieve compliance with the standards;

to consider what evidence you have that could demonstrate your compliance to an external party.

Additionally, the tool can provide dashboards allowing you to present management information (MI) across your organisation. This shows where you are in your compliance program and how much progress you have achieved. Presenting information in this manner can be beneficial when it comes to winning stakeholder support in your security improvement plan, as well as demonstrating the value added by security.

You can grab the checklist directly (in Excel format) or visit the Security Resources part of our website for this checklist and many more useful security tools and documents. Halkyn Security makes these documents available to help people improve their security and we never demand you log in, or register, for access.

If you want the document in a different format (such as OpenOffice) get in touch and we will be happy to help you. The checklist uses basic office protection (to prevent accidental modification) but we are happy to provide unprotected versions on request.

We have tried to make the checklist easy to use, and it includes a page of instructions to assist users. If you do have any questions, or want to talk through the process then let us know. Our security consultants are experienced in delivering ISO27001 compliant security solutions across a wide range of environments and we love’d love the opportunity to help you improve your security.

]]>http://www.halkynconsulting.co.uk/a/2013/10/iso27001-compliance-checklist/feed/73961Twitter – Possible social engineering attackhttp://www.halkynconsulting.co.uk/a/2013/10/twitter-social-engineering-attack/
http://www.halkynconsulting.co.uk/a/2013/10/twitter-social-engineering-attack/#commentsTue, 15 Oct 2013 22:42:04 +0000http://www.halkynconsulting.co.uk/a/?p=940This evening I managed to end up getting my personal twitter account hijacked and malicious users were able to send out direct messages before I got at least some element of control back. First off, I want to apologise to anyone who got a strange DM from me, telling them to click on a suspicious […]

This evening I managed to end up getting my personal twitter account hijacked and malicious users were able to send out direct messages before I got at least some element of control back.

First off, I want to apologise to anyone who got a strange DM from me, telling them to click on a suspicious looking link. I’ve tried to delete them all now and I hope no one clicked on any links.

Although, I cant fully confirm this yet, the attack appears to have been the result of following a link to reset my twitter password. The email came from a very legitimate looking email account and the headers (see image) appear to be from twitter. However, when I did follow the link, and reset my password, I was immediately booted into a sort of limbo where I could neither log in or out of my account. Eventually I got control back by opening a new browser session and forcing yet another password reset. In the three minutes while I couldn’t get access, several direct messages were sent out to people trying to get them to click on a suspicious looking link.

Twitter password reset email – background

At 2313 (all times UK BST) an email landed in my inbox saying it was from twitter and reporting that they had reset my password:

Twitter believes that your account may have been compromised by a website or service not associated with Twitter. We’ve reset your password to prevent others from accessing your account.

Now, at this point, I hadn’t used my twitter account since 14 October and I certainly hadn’t added any new services or visited any websites trying which needed a twitter login. This meant I was a bit suspicious about the email so I checked the headers. Everything here checked out – and it still does which is why I am a bit dubious about this being the attack vector – so, at 2320hrs I clicked on the link.

From here, I was taken to a legitimate looking twitter password reset page. I created a new password and things went a bit strange. When I put the new password in, I was redirected to a log in page again, which seemed a bit more unusual but I had no warnings about HTTPS errors or the like, so I tried to log in with the new password.

When I clicked to submit the password, I was immediately bounced back to the login page and this happened a couple of times. After the fourth attempt, I tried to click on the forgotten password link, but I just got a message saying I needed to log out again first – with no mechanism to log out.

At this point I realised something was up and that my twitter account was probably genuinely compromised now. Yes, I can be a bit slow on the update.

Twitter account recovery

When the penny finally dropped I started trying to recover my account. First I went to a new browser session, which was clear of any twitter cookies or saved data and requested a password reset. I got the password reset email at 2329, leaving a gap of 9 minutes between when I thought I had reset my password and when I got control of it again.

Twitter – Legitimate message headers

Being a bit paranoid now, I double checked the reset details but with some extra confidence as I had genuinely requested it this time. A copy of the message source is shown in the image here.

Worryingly it was pretty much identical to the previous one. As I didn’t have much to lose, I clicked on the link and reset my password.

This time, it went very differently and I was given proper access as you would expect. Once I had got in (2330hrs), I checked my direct messages and it seems that between 2320 and 2329hrs, my account had been sending out direct messages to my followers asking them to click on a link. Fortunately not that many had been sent (about 3 a minute) which may have been an attempt to avoid detection.

Analysis

Without access to twitter’s logs or the like, I cant ever really be sure what happened, but there are clues available.

First off – the malicious direct messages were only sent in the period of time between my click on the first email and the password reset request. This means that the first email has to be treated with some increased suspicion, for the following reasons:

It was unsolicited.

It was unspecific.

It mentioned my twitter user name but not my “name” (which the later, legitimate email did)

It created the sense of panic about my account being compromised.

Despite this, the email has been digitally signed using twitter’s RSA key and the URL it referenced looks to all intent and purposes to be a legitimate twitter link for password resets.

The only difference I can find between the original message and the second (presumed legitimate) one is in the tracking string attached to it. On the first email, the link has the following appended to it:

However, it is hard to see how this can be converted into an attack vector, so it is probably nothing more than an artefact in the way twitter tracking works.

If the email hadn’t been compromised in some way, the next alternative is that some form of attack is being mounted when the password is being reset. During this time, as far as my browser was showing, I was connected over HTTPS and no alerts were shown.

Unfortunately it is unlikely I will ever get to the bottom of this, and it may have been a problem with a connected service or even a website and all the emails were legitimate – it was just a timing error that meant the attack took place in the gap.

If you have ever been in this situation, I would love to hear about it. Hopefully it can add some more knowledge and help solve the puzzle.

The main lesson here is to be on guard for any suspicious activity with social networking accounts. Even if you get a legitimate email, take time to double check what is happening and if things go wrong, act quickly to regain control.

]]>http://www.halkynconsulting.co.uk/a/2013/10/twitter-social-engineering-attack/feed/1940ISMS: New version of ISO/IEC 27001 – Time to update?http://www.halkynconsulting.co.uk/a/2013/10/isms-new-version-isoiec-27001/
Mon, 14 Oct 2013 21:13:08 +0000http://www.halkynconsulting.co.uk/a/?p=929As you may be aware, the ISO/IEC 27001 standard for Information Security Management Systems (ISMS) was updated and the 2013 version became the “official” version at the start of October 2013. The previous version for ISMS requirements was ISO/IEC 27001:2005, and for eight years now, organisations have been working towards, and achieving, certification to that […]

An ISMS is fundamental to how you make sure your business is properly protected.

As you may be aware, the ISO/IEC 27001 standard for Information Security Management Systems (ISMS) was updated and the 2013 version became the “official” version at the start of October 2013. The previous version for ISMS requirements was ISO/IEC 27001:2005, and for eight years now, organisations have been working towards, and achieving, certification to that standard.

ISMS Requirements – Changes?

The change between the 2005 version and the current 2013 standard is more than just cosmetic and there is a lot of improvements for your ISMS. There are some areas where controls have been regrouped within Annex A, but there are also new controls for project management, outsourcing, design & engineering and information security events. Additionally the risk management approach has been brought more in line with ISO 31000.

What should you do?

Overall, the main impact is that a lot of existing ISMS document will need to be reviewed (and possibly references changed) and anyone working towards certification needs to make a decision as to which path they will go down.

If you are close to completing your implementation and will be able to get through all the required visits by the assessors no later than the end of September 2014, then you can opt to certify your ISMS against ISO/IEC 27001:2005.

Alternatively you can make the changes required to realign your ISMS to ISO/IEC 27001:2013 now and work towards certification that way. If your are more than 12 months away from full implementation of your ISMS, this is your only option.

Unless you really are very, very close to finishing your ISMS certification against the 2005 standard, we would strongly recommend you use the new 2013 version.

If your ISMS is currently certified to the 2005 version of the standard, your certification will remain valid until the end of your 3 year renewal cycle. However once you come up for re-certification you will need to work against the 2013 standard.

As far as we are aware, it is not possible to recertify against the 2005 during the twelve month “grace period” that has been offered for new certifications.

Supply chain ISMS certification

When it comes to your supply chain, one of the benefits of ISO/IEC 27001 certification is that it allows you to develop a level of trust. If your supplier has managed to achieve and maintain certification, then you have a reasonable level of assurance that they have implemented a working ISMS and will protect your data to at least some degree.

It is of critical importance that as part of this assurance you get access to copies of the documentation sets provided for certification, evidence that the ISMS is properly implemented and a good understanding of the scope submitted for certification audit. If you can tick these three boxes, you can have quite a good level of assurance around your supplier.

Now that the 2013 standard is official, you should also make sure that your supply chain move to meet the new requirements in a timely fashion. As mentioned above, any certifications currently valid will remain so, but it will help for you to engage your suppliers and find out what their plans for the transition are. By October 2016 all your suppliers should have had to recertify and it is unlikely that any ISO/IEC 27001:2005 certifications will be valid.

Coming Soon

To assist you with moving towards the 2013 standard, we will be providing a free downloadable checklist document that you can use to self-assess your ISMS compliance. Hopefully this will be ready before 25 October 2013.

Following on from that, we will also look to update our Security Policy Framework (SPF) mapping to assist suppliers to the Government / MOD. That is likely to be ready by the end of the year.

]]>929Physical Security – It still mattershttp://www.halkynconsulting.co.uk/a/2013/09/physical-security-still-matters/
Fri, 20 Sep 2013 22:21:43 +0000http://www.halkynconsulting.co.uk/a/?p=908When it comes to security, there is an unfortunate tendency for organisations (large and small) to fall into the trap of treating their physical security as something separate or different from their information security needs. Despite physical security having a place in every international security standard (such as ISO 27001), ownership of physical risks often […]

When it comes to security, there is an unfortunate tendency for organisations (large and small) to fall into the trap of treating their physical security as something separate or different from their information security needs. Despite physical security having a place in every international security standard (such as ISO 27001), ownership of physical risks often ends up being moved away from the “Information Security” specialists and bundled in with safety or facilities management.

As we have said in the past, physical security really does matter to your organisation. If you don’t take it seriously, it doesn’t matter how much cybersecurity you have in place, you will suffer losses.

There is an assumption that the big global banks are very much leaders when it comes to security and preventing criminals getting access to their money. Banks have led the way with development of anti-theft measures, counter-fraud, hacker prevention and much more. Most banks spend inordinate amounts of money building very robust networks with strong firewalls and access controls. This all makes sense, because when it comes to robbing money, most criminals dream of getting a big score from a big bank.

With this sort of threat level, spending lots of money on security is actually very sensible for a bank. As you may imagine, they really do spend lots of money.

This means that the recent news was a bit of a surprise. Not one, but two global banks were targeted by a reasonably unsophisticated type of attack which has been known about for over a decade and is countered by pretty basic physical security measures.

Keyboards – protect them with physical security

The first news broke around 13 September 2013 with reports that the Police Central e-crime Unit (PCeU) had foiled a planned attack by a criminal group in London to pose as an engineer then plant a “KVM” switch in the Salford Quays branch. When this happened, the BBC News reported a gang of 12 people had been arrested in connection with the planned attack.

A week later (20 Sept 2013), a very similar news item appeared when eight men were arrested following the theft of £1.3 million from Barclays Bank using an identical attack. As reported, again by the BBC, This time a fake engineer visited the Swiss Cottage branch of Barclays and attached a malicious KVM switch to a computer. This enabled the gang to get remote access and siphon out the money.

While intelligence led policing seems to have saved Santander from any loss, Barclays was not so lucky. Even if they do recover most of the money, the harm has still been done. This is a very good example spending a fortune on technical security controls not mattering. If there is a physical security weakness, attackers will get in.

(Note: a KVM is a “keyboard, video, mouse” switch which is normally used to allow one person to control several devices. In these attacks the KVM appears to have been linked to a device controlled by the criminals allowing them to access the bank’s networks)

Physical security protects assets – lessons learned

Although we may never know all the details, from the published reports there are some lessons for everyone here.

The criminals appear to have been trying to exploit two weaknesses – lack of physical security sweeps and a relaxed approach to service engineers. The fact that two global banks appear to have suffered the same issues is especially interesting and may be a sign that this is prevalent across business sectors.

First – how to combat the two main weaknesses that the criminals wanted to exploit:

Physical security is important. If your organisation separates physical and IT security, you will have a weakness that a criminal will exploit. Don’t fall into this trap.

Ensure your staff are security aware enough that they can spot when strange things appear on their machines or in the office.

If you have security guards / officers on site, make sure they carry out regular physical security sweeps. This should include checking for documents left out, cabinets left unlocked and any strange devices attached to machines.

Unless there is a business reason for it, lock down your computer ports. This wont prevent a KVM switch attack but it will prevent similar attacks on USB ports.

Manage your service providers. If an engineer comes on-site in a sensitive area you should be supervising them. No engineer should ever get access without having their credentials checked and any unexpected engineer visits should be treated with extreme caution.

Security, including physical security, is never perfect but if you can implement these five steps you will significantly reduce your risks.

One extra issue worth considering – although there is no indication it is relevant to the two cases here – is the risk of an insider being involved. If the criminal gangs had managed to subvert an employee, then they wouldn’t have had to sneak in as an engineer and the attacks become significantly harder to detect.

This is one reason why good background screening and employee after care is essential to your overall security posture. Without it, you are just creating a new opportunity for criminals to get access.

The overarching lesson here is that security is security. Protecting your business, preventing theft, guarding your reputation, keeping your assets safe (and so on) is all part of the same mission.

The more you fragment your security into different areas the more you increase the chance that a gap will appear which a criminal will exploit. You may not have the threat profile of a bank, but eventually criminals will notice your weakness and take advantage of it.

In recent years there has been a tendency to split information security off to the IT Department, personnel security gets pushed to HR and physical security ends up with the facilities management team. This is a mistake.

In an ideal world, your organisation will have a “security” department which covers all of this and has links to other departments as needed. Even if we don’t live in an ideal world, you need a centralised “Chief Security Officer” type role to join up the competing interests and make sure that all your security controls join up properly.

Frequently this is called “Holistic” security and buzzword or not, it just makes sense.

]]>908Encryption – it is your responsibilityhttp://www.halkynconsulting.co.uk/a/2013/08/encryption-it-is-your-responsibility/
Tue, 20 Aug 2013 21:54:29 +0000http://www.halkynconsulting.co.uk/a/?p=890Encryption is important. This has always been well known, and with the recent revelations about PRISM and related Government monitoring of communications, people have become understandably more interested in the topic. However, keep in mind the fact that doing encryption wrong is worse than not doing it. In recent years it has become more and […]

Encryption is important. This has always been well known, and with the recent revelations about PRISM and related Government monitoring of communications, people have become understandably more interested in the topic. However, keep in mind the fact that doing encryption wrong is worse than not doing it.

In recent years it has become more and more common for people to store personal data and commercial data on a variety of 3rd party platforms – Google Docs, Skydrive, Dropbox, Box.net etc.

Encryption needs to be locally managed

At the most basic level, if you host your data somewhere outside your control – be that a cloud provider or more traditional hosting session – then you really should be encrypting it. When you do use encryption it is of the utmost importance that you manage the keys yourself. Anything else is giving you a very dangerous false sense of security and means your encryption can be trivially bypassed without you even knowing.

However, this fundamental principle seems to have been overlooked with Google’s latest PR campaign which looks to allay customer fears by implementing automatic encryption to all uploads. This is a very bad idea.

“We know that security is important to you and your customers. Our goal is to make securing your data as painless as possible,” Google product manager Dave Barth said in a blog post introducing the update.

Now, it is true that implementing encryption can be difficult, but that is largely down to the level of experience and expertise your staff have. If security is important, then you absolutely must make sure you have the right people to do it. If security is important, then this is really not the place to cut costs.

The article continues with this, also from Dave Barth:

“If you require encryption for your data, this functionality frees you from the hassle and risk of managing your own encryption and decryption keys. We manage the cryptographic keys on your behalf using the same hardened key management systems that Google uses for our own encrypted data, including strict key access controls and auditing.”

Now this is a bit calculating and presents an image which isn’t really true.

Remember the fundamental principle – if you dont manage your own encryption keys, your data is insecure? Well it applies here. It especially applies here.

Managing your own encryption keys may be a hassle, but it is less of a risk than trusting a third party to do it for you – especially a third party which has no real obligation to your stakeholders, is big enough to likely shrug off any legal efforts you make, refuses to acknowledge the jurisdiction of the ICO / Data Protection Act and was reportedly complicit in revealing data to the Government agencies it is implying it will protect your data from.

If you rely on Google’s (or anyone) automatic encryption then you are relying on them making sure all their employees are honest and legitimate, making sure that that they never go out of business, making sure that they never engage in covert arrangements with Government agencies or other companies, making sure they never get hacked, making sure they never have an outage when you need access etc.

You may be confident that one or two of the above will never happen to your provider, but you actually need to be 100% confident that nothing bad will happen. Isn’t that asking a bit much?

Using automatic encryption may remove some hassle, but it significantly increases the risks your data faces, often to the point at which you are better leaving it unencrypted and assuming it has been compromised.

Encryption – the basic rules

When it comes to your encryption, there are actually some simple rules to keep in mind and the whole thing is easier than it looks. With encryption, the only hard parts are working out what technology to use and picking a suitable key (e.g. password).

All your data must be encrypted locally. Even if your provider uses SSL, before you send anything out of your immediate control you absolutely need to know that it is encrypted to whatever standard you have decided upon.

You must manage encryption keys yourself. These are the crown jewels and if you lose them or compromise them, your data is lost or compromised. However, keep in mind, things that are important to you might not be as important to other people so you are the best person to look after your encryption keys.

Store encryption keys separately from the data. If someone has your data and your key, the encryption is meaningless. Keep them apart unless you need to decrypt / encrypt.

Guard your encryption keys. It should go without saying that your encryption keys need to be backed up and protected. If you have an information classification scheme, your encryption keys should be treated the same as the information they protect. Try to avoid falling into the trap of encrypting your encryption keys though… that just gets confusing.

If you live in a country where the state can force you to reveal keys (such as the United Kingdom, China etc) or there is a risk someone could place you under duress, then consider a deniable container. This is offered by products such as Truecrypt and gives you the ability to surrender the outer encrypted data while keeping your secrets safe. This is especially useful if you or your employees travel and there is a risk of unwanted attention as it means they can comply with any demands (lawful or otherwise).

The bottom line is that encryption is not hard, it is not hassle and if you really do think security is important you should be doing it. The key phrase, however, is that you should be doing it, not someone else.

]]>890Suspicious mail advice – Advice from NaCTSOhttp://www.halkynconsulting.co.uk/a/2013/08/suspicious-mail-advice-advice-from-nactso/
Mon, 19 Aug 2013 16:34:53 +0000http://www.halkynconsulting.co.uk/a/?p=875This communication regarding suspicious mail has been issued by the National Counter Terrorism Security Office (NaCTSO) and the Centre for Protection of the National Infrastructure (CPNI). Please feel free to forward it on wherever appropriate. If you would like more advice about your specific situation, what risks you might face from suspicious mail (or other […]

This communication regarding suspicious mail has been issued by the National Counter Terrorism Security Office (NaCTSO) and the Centre for Protection of the National Infrastructure (CPNI). Please feel free to forward it on wherever appropriate.

If you would like more advice about your specific situation, what risks you might face from suspicious mail (or other security related issues), or would like help training your staff in handling packages, then get in touch.

Suspicious mail advice

The recent delivery of a number of packages to an address in London led the recipient to believe that the contents were contaminated and request police assistance.

While the packages were found to contain a harmless substance and the matter was resolved, it has highlighted an opportunity to provide guidance on the safe handling of mail and the initial response when recipients have concerns regarding potential contamination.

This is especially the case with businesses and charitable organisations connected with the Department of Work and Pensions’ mandatory work activity placement scheme who may be the recipients of unsolicited packages sent as part of a campaign of protest against the scheme.

While we are not aware of any specific threat, details available on websites may have been used to identify such companies and encourage protest against them

This is an important reminder for security managers to review their mail handling procedures and ensure that all relevant staff are aware of and understand the correct protocols. This in turn means that any item of concern can be dealt with appropriately and a proportionate police response can be provided.

]]>875Sensitive data should not go by fax!http://www.halkynconsulting.co.uk/a/2013/08/sensitive-data-should-not-go-by-fax/
Fri, 09 Aug 2013 22:57:44 +0000http://www.halkynconsulting.co.uk/a/?p=850You may want to check your calendars again. Even though we are now well into the 21st century, it seems that some organisations are still sending sensitive data by fax machine – and not just the NHS (who were fined £55,000 for the inevitable breach). It seems banks, who really should know better, cant help […]

]]>You may want to check your calendars again. Even though we are now well into the 21st century, it seems that some organisations are still sending sensitive data by fax machine – and not just the NHS (who were fined £55,000 for the inevitable breach). It seems banks, who really should know better, cant help themselves.

Fax Machines – Dont use for sensitive data

This month (August 2013), the ICO has issued a Civil Monetary Penalty (fine) of £75,000 to Bank of Scotland for repeatedly faxing customer’s sensitive data to incorrect fax numbers.

In the press release about the fine, the ICO notes that Bank of Scotland were even notified about the problem in 2009 but failed to take any corrective action. As a result, over 30 faxes were sent incorrectly. The faxes themselves included pay statements, bank account details, names, addresses etc. In all, an ideal haul for anyone looking to commit identity theft.

To send a person’s financial records to the wrong fax number once is careless. To do so continually over a four year period, despite being aware of the problem, is unforgivable and in clear breach of the Data Protection Act.

It is unforgivable.

Protecting sensitive data – lessons learned

The first point we want to hammer home is that you should not use fax machines for sensitive data. You really shouldn’t. If you are doing this, then stop now.

However, if you really must, and you have it on your risk register, then learn to do it properly.

If you send sensitive data use pre-programmed numbers. Do not rely on busy staff hitting the correct buttons.

Manage the process. Have a way in which errors can be rectified when you discover them.

Keep records of what you are sending and who it is going to.

Work to eliminate the use of fax machines for your processes.

The last point is worth looking at in more detail.

If you use fax machines for sensitive data you absolutely must be looking at a way to remove them. Sending data by fax is only slightly better than a totally unencrypted email and, in some respects, has more room for error. Remember, your fax goes unencrypted over what is now likely to be an IP switched network. At least with email you can put controls on your exchange server and firewall.

If you are capturing sensitive data from your customers, you owe it to them and your business to do it properly. It is even more cost effective to do it properly.

Continuing to send sensitive data by fax is begging for an ICO sanction.

Take this opportunity to review your processes. Determine what sensitive data you are collecting and how you move it around your organisation.

In this example, Bank of Scotland were collecting application forms physically from customers and faxing them to a central processing unit. It is hard to think of a reason why this wouldn’t have been better sent over internal email. Most modern business copiers have an option to copy to internal email, so this would have even been possible from the branches themselves.

Banks, and the NHS, aren’t alone here. US-based organisations (e.g. the EC-Council, who should know better) seem to frequently ask for customers to fax credit card & bank details, which is crying out for problems. There are numerous online payment processors which reduce the need to have a member of staff collect the faxes and manually process the payment, as well as provide security to the customer. While US companies might not fear the ICO, the fact is they are risking their customers security, and this is rarely good for business.

Whatever your situation, wherever you are based, stop using fax machines to send sensitive data. There really is a better way.

]]>850NHS Trust fined £200,000 following data disposal errorshttp://www.halkynconsulting.co.uk/a/2013/07/nhs-trust-fined-data-disposal/
Mon, 15 Jul 2013 19:08:21 +0000http://www.halkynconsulting.co.uk/a/?p=798Although it has a well structured, well run and reasonably well resourced security management service, the NHS still seems to struggle with some aspects of compliance with the Data Protection Act. As a result, another NHS trust has fallen foul of the Information Commissioner’s Office (ICO) and fined a significant amount of money. Based on […]

]]>Although it has a well structured, well run and reasonably well resourced security management service, the NHS still seems to struggle with some aspects of compliance with the Data Protection Act. As a result, another NHS trust has fallen foul of the Information Commissioner’s Office (ICO) and fined a significant amount of money.

NHS & Healthcare Security: Sensitive data needs proper protection.

Based on the ICO’s press release, it appears that NHS Surrey had outsourced the disposal of its computers and related assets. Unfortunately, after 2 years, they were notified by a member of the public that a disk purchased from eBay contained patient data.

According to the press release, when NHS Surrey collected the computer and processed it, they discovered records belonging to 900 adults and 2000 children. Faced with this information, the trust was able to recover 39 further devices from the trading arm of the data destruction provider. Of this batch, 10 were previously owned by NHS Surrey and three contained sensitive patient data.

NHS Surrey appear to have entered into an arrangement whereby the data disposal company removed the devices for free on the grounds that they could sell on any salvageable materials. From the ICO’s report, this appears to have been a bit of an informal arrangement and no contract was in place and no monitoring conducted.

Stephen Eckersley, Head of Enforcement, described this as “one of the most serious the ICO has witnessed” with the following points noted in the press release:

The ICO’s investigation found that NHS Surrey had no contract in place with their new provider, which clearly explained the provider’s legal requirements under the Data Protection Act, and failed to observe and monitor the data destruction process.

NHS Surrey mislaid the records of the equipment passed for destruction between March 2010 and 10 February 2011, and was only able to confirm that 1,570 computers were processed between 10 February 2011 and 28 May 2012. The data destruction company was unable to trace where the computers ended up, or confirm how many might still contain personal data.

One major difference is that, unlike the local Councils in the UK, the NHS has a well structured, centrally managed system to enforce security compliance on third party suppliers. It appears to have failed here.

Lessons learned from the NHS – Supplier Security Management

There is a lot that can be learned here, even if you don’t work for the NHS. If you handle personal data or if you just have commercially sensitive information, you need to make sure you dispose of your assets properly. If your files end up on eBay then you face a regulator fines, loss of competitive advantage and reputational damage.

You can avoid this. Quite easily actually.

The Data Protection Act is quite clear about the obligation and the 7th principle states

Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.

Even if you don’t process personal data, this is a good principle to adhere to when it comes to protecting your corporate data.

With this in mind, there are some steps you can take to avoid following NHS Surrey’s footsteps:

Have a policy and plan in place to manage your information lifecycle. This needs to document how you create, maintain and dispose of all your information assets.

Keep an accurate, and well maintained record, of where your sensitive information is stored. You should always be able to tell if a hard disk has had “important” information on it or not.

If you outsource your disposal you absolutely must make sure there is a robust contract in place. This contract must oblige the service provider to securely dispose of any data. If nothing else, this means that in the event some data surfaces, you have options to protect yourself.

Make sure you manage your disposal process. In-house or outsourced, you should nominate a suitable person to be responsible for ensuring data is properly disposed.

Following these four steps will help you avoid following in the footsteps of NHS Surrey and the Scottish Borders Council. More importantly, it will help you avoid you suffering a fine in the region of £200,000.

Good supplier security management is not free, but it is a lot cheaper than the alternatives.

Telesales can be effective at promoting your business but you need governance structures in place to make it work for you.

A breakdown of internal governance processes has led to the Information Commissioner’s Office (ICO) issuing a civil monetary penalty (fine) on Tameside Energy Services Ltd, a Manchester based company claiming to offer a range of energy improvements and making heavy use of cold-call sales tactics.

Showing a growing tendency to fine private companies, the ICO reported that Tameside Energy Services was responsible for over 1000 complaints from customers over failures to remove people from their contact lists and a failure to properly check the Telephone Preference Services (TPS) lists before making cold calls.

In the statement announcing the fine, Simon Entwisle, Director of Operations for the ICO said:

This is not the first and will not be the last monetary penalty issued by the ICO for unwanted marketing calls. These companies need to listen – bombarding the public with cold calls will not be tolerated. Were it not for the company’s poor financial position, this monetary penalty would have been £90,000.

We are continuing our work with the industry, government and other regulators, including OFCOM, to co-ordinate our efforts to tackle this problem. We would like to see the law changed to make it simpler for us to punish companies responsible for repeated and continuous breaches of the law.

The lack of organisation governance appears to be part of a larger problem with this company. However if they had spent a trivial sum of money on implementing a governance process, they would have saved ten times that amount of money in fines.

It seems to go without saying that cold calling is largely unpopular and it is likely that as issues like this get more coverage, more people will know to complain. The ICO has even set up a reporting tool (available online) to make it easier to report nuisance calls.

Cold calling needs good governance

However, lots of companies still use cold calling telesales and it can be a very effective way to get new business. So, the question is, how do you make sure it works for your company rather than open you up to potentially massive fines?

The simple answer is governance.

In this example, the existence of a governance team would have driven compliance – both with removal requests and TPS checks – and prevented both customer annoyance and the ICO fine.

Whatever your line of business, whatever size your organisation, you need to address governance, risk and compliance. It doesn’t matter if this is one department, three or a dozen. It doesn’t even matter if this is part of your security team, audit team or even sales teams. The only thing that matters is that you have it.

Risk management is not just about preventing people stealing your assets, it is also about ensuring you have proper governance processes to stop your own business cannibalising itself. Sales methods are there to grow your business, not to have you fined.

The sad truth is that if your sales methods need to bypass these checks to make money for your business, something is fundamentally wrong. Good governance would identify this in advance and help you regain control.

]]>768Fax machines – not suitable for sensitive datahttp://www.halkynconsulting.co.uk/a/2013/06/fax-machines-not-suitable-for-sensitive-data/
Fri, 14 Jun 2013 20:21:40 +0000http://www.halkynconsulting.co.uk/a/?p=722It seems some technologies are hard to get rid of and it seems that people are still using fax machines to send data despite them being slow, cumbersome, unreliable and, most importantly, insecure. As it is 2013, it should go without saying that fax machines are not an appropriate mechanism to send anything sensitive and […]

]]>It seems some technologies are hard to get rid of and it seems that people are still using fax machines to send data despite them being slow, cumbersome, unreliable and, most importantly, insecure. As it is 2013, it should go without saying that fax machines are not an appropriate mechanism to send anything sensitive and certainly not sensitive personal data.

Data needs to be protected in transport.

However, this is exactly what has cost the North Staffordshire Combined Healthcare NHS trust £55,000 this week. To make matters worse, the Trust has a set of policies to cover sending data over fax machines, but they appear to have been ignored. As a reminder – normal fax machines are insecure. And we would even go as far as to say even if you set up good cryptography to secure your fax machines, they are still the worst option.

In an announcement on 13 May 2013, the Information Commissioners Office (ICO) reported that the NHS Trust had sent sensitive medical data over their fax machines to the wrong number on three separate occasions. The Trust only became aware of the problem when the recipient eventually wrote to them.

It appears that this breach was the result of a combination of factors. First off, fax machines are a bad idea for sensitive data. To make it worse, it appears the trust staff were not aware of how to use fax machines in a secure manner. Combining these two almost guarantees a security breach.

The ICO is less damning over the use of fax machines and concentrates on the process and user awareness:

Let’s make no mistake, this breach was entirely avoidable. One phone call ahead to the trust’s Wellbeing Centre would have alerted its staff to the fact that the number they were entering was incorrect. This would have stopped highly sensitive information about the care of vulnerable people being sent to a member of the public on three separate occasions.

This case should act as a warning to all organisations that routinely send out sensitive personal information by fax. Make sure you have appropriate procedures and controls in place, so that errors can be spotted before it is too late.

We would suggest that this is the bare minimum to consider if you use fax machines – for any data – but first you should review why you are using them in the first place.

Recently we have been engaged with a couple of organisations who have used fax machines to send corporate data. In two instances this included information that would be considered sensitive in most context (although not covered Data Protection Act 1988).

Both companies have detailed security policies governing the transmission of data and what encryption is required. However, neither appeared to realise that data over fax machines was sent in the clear with very little way of knowing who the recipient was.

Fax machines are not suitable for sensitive information.

Just in case you aren’t convinced, lets look at some reasons why fax machines are risky.

The data is (normally) unencrypted. Fax machines simply scan the image and send the bits over the phone line. Anyone between you and the recipient can read the data.

You cant be sure the line between sender and recipient is direct. Most telephone connections use IP somewhere along the path. This means the day of a single bit of copper between each machine are long gone. When you use fax machines, you have as much control over what equipment is between parties as you do with email.

Using fax machines gives you no control, or assurance, over who is at either end. Most of the time, documents you fax end up falling out of the machine onto the floor where they wait to be found.

When you send documents over fax machines, you have no real way of knowing if they arrived unless you implement a laborious process of telephone calls before and after.

Fax Machines – out of date and insecure

Obviously you can implement mitigating controls (such as telephone calls before and after, or expensive encrypted fax lines) and still use fax machines. The problem is this all creates a cost just to allow you to use an outmoded communications path. Would you put this much effort in to allow your business to still use smoke signals?

What compounds the problem is the vast majority of documents sent by fax are generated on internet connected computers, using networked data, and then printed off before being sent. This creates the new problem of having to secure the printed copy at both ends.

A much easier solution is to email the document and use any of the good (often free) encryption tools that are available. Now the only challenge is to share the encryption key (password) with the other side, but this can be easily done over different channels. If you regularly exchange sensitive information with a single endpoint (as in the NHS example), rather than use fax machines, you can set up an end to end encrypted email system. If that is too technical, then you can still pre-arrange what your passwords will be and use any free encryption packages.

Of course, nothing in security is perfect and every solution will have risks. The problem with fax machines is that they actually increase the risks over what you would get using unencrypted email.

Now, having said all that, one use for fax machines is as a third line disaster recovery option. If your online comms are down and you absolutely must send a document, then fax it. Just don’t think it is in any way secure.

Take this opportunity to review your processes. If you have fax machines, find out why you use them and what business functions they provide that cant be replicated using email. Don’t accept the argument that you need to capture signatures – this can be done electronically or even scan a signature in. Make sure there is a good, strong business reason to take this risk.

If you absolutely must use fax machines make sure that you have good policies and processes to secure their use.

Finally, and this is the important bit, make sure all your staff are 100% sure how to use them and have the time and space to do it properly. Do not allow your managers to rush staff into unsafe practices and do not allow your staff to develop bad habits.

Fax machines are bad news from a security standpoint, so if you want them, you have to work hard to minimise your risks.

Our security experts can help you secure your use of fax machines, or better still help you move to a more secure communications path. Get in touch to find out more.

]]>722Lack of Laptop Encryption costs City Council £150,000http://www.halkynconsulting.co.uk/a/2013/06/lack-of-laptop-encryption-costs-city-council-150000/
Fri, 07 Jun 2013 20:29:05 +0000http://www.halkynconsulting.co.uk/a/?p=707The Information Commissioner’s Office (ICO) has announced today that it has fined Glasgow City Council £150,000 following the loss of two laptops because neither had any encryption software applied. The fine follows an incident where two laptops were stolen from Council offices during refurbishment. To complicate matters, the Council had already been made aware of […]

]]>The Information Commissioner’s Office (ICO) has announced today that it has fined Glasgow City Council £150,000 following the loss of two laptops because neither had any encryption software applied.

All portable computing devices are at risk of theft or loss. Encryption helps manage this risk.

The fine follows an incident where two laptops were stolen from Council offices during refurbishment. To complicate matters, the Council had already been made aware of the risks of theft and although one laptop was locked in a storage drawer, the key to the drawer was kept insecure along with the second laptop.

The investigation into the two stolen laptops revealed that the council had issues a large number of devices without any encryption and, although lots of these were later encrypted, 74 remain unaccounted for (and without encryption) with at least six known to have been stolen. Two years previously the Council had been issued with an enforcement notice following the loss of unencrypted memory sticks.

Kevin Macdonald, the ICO’s Assistant Commissioner for Scotland said:

To find out that these poor practices have returned some two years later shows a flagrant disregard for the law and the people of Glasgow. The council should be held to account, and the penalty goes some way to achieving that.

It is staggering to think that in such a short time, the Council has managed to fall into such a bad habits around basic security principles.

Encryption is the essential last resort for IT

Security – be it around IT hardware, portable devices (laptops or tablets or phones), documents, people, or anything – is built on a framework of overlapping security controls. The idea being that if one control fails, security is still in place because the other controls still work.

When it comes to portable IT assets – especially laptops – the sad truth is that they are at significantly greater risk of loss or theft than pretty much anything else in your inventory. Users will consistently circumvent your physical security controls (i.e. leaving them on trains, forgetting to lock drawers etc), and they are an attractive target for criminals.

This means it is essential that you assume they will be stolen and ensure that encryption is part of every single build.

Four main lessons

There are a lot of lessons that can be learned from the fine issued to Glasgow City Council, so you should take this opportunity to review your processes and see where you can improve.

The four main take away points from this are:

Ensure all portable devices are encrypted – with laptops this should be whole disk encryption at a minimum, for tablets or smartphones your mobile device management policy should include mandatory file encryption and strong passwords.

Ensure all your employees are properly trained in how to care for portable devices and how to use your security furniture. Keys must always be properly secured.

Maintain a working, accurate asset register. Without it you don’t even know if your devices have been lost / stolen.

Have a functioning risk management process in place which is able to respond to changing threat levels (such as the reports of increased crimes) and is able to drive security practices within your business.

Without these four simple steps, your security activity is fundamentally undermined and it is only a matter of time before you suffer a loss and (if it relates to personal data) a penalty from the Information Commissioner.

Security must never be seen as a cost to your business, it is there to protect against greater losses and allow you to continue to operate. Cutting corners is not a good use of your resources and, as we keep saying, unless you put aside enough resources to deal with the inevitable security breaches, it is a massive risk management failure.

Implementing encryption would have been a lot cheaper for Glasgow City Council.

]]>707Security design – physical security measureshttp://www.halkynconsulting.co.uk/a/2013/06/security-design-physical-security-measures/
Mon, 03 Jun 2013 21:09:17 +0000http://www.halkynconsulting.co.uk/a/?p=677Physical security really does matter. When it comes to protecting your property, stock, customers, employees or other assets, the physical security measures you can put in place form the foundations for any other loss prevention or information security program. Implementing good physical security measures saves you money in the long run and is often a […]

]]>Physical security really does matter. When it comes to protecting your property, stock, customers, employees or other assets, the physical security measures you can put in place form the foundations for any other loss prevention or information security program. Implementing good physical security measures saves you money in the long run and is often a basic requirement for insurance coverage.

Protect your assets – whatever they are

Unfortunately, physical security measures are frequently overlooked. Even when they are considered, often organisations devolve this to the facilities management team rather than a centralised security domain. To make matters worse, even when physical security is a part of the organisation it is unfortunately common for this function to remain on a separate reporting chain to the rest of the security and risk management activities.

This is not good for your business because physical security is important. Just to reiterate something we have said lots of times – not having robust physical security processes, properly implemented, in your organisation undermines all your other security controls.

The problems with physical security

The world isn’t a perfect place and there are some factors which lead to problems when it comes to perfecting your security measures.

Physical security isn’t generally exiting or newsworthy. It doesn’t matter how important physical protection measures are, information security and the threat of Cyber-Hackers is always going to grab the headlines. When it comes to spending priorities, headlines win.

Physical security is sometimes (wrongly) seen as something anyone can do. Even though it is a very specialised field, there is an assumption that anyone can look at locks or put up a fence.

It is often too late for the most cost effective physical security controls and this leads to organisational inertia against implementing new ones. The best time to implement security controls is at the design stage but for most, this is not an option and you are faced with bolting controls onto existing facilities.

Physical security – solutions?

The hardest solution is also the most important one. Security is important and all your key stakeholders need to realise this and fully understand the implications. If your organisation has a Chief Security Officer (CSO) then it is a step in the right direction, but there still needs to be continued effort to ensure that security gets the right profile. If you don’t have a CSO, then the job of selling security is yours. Work hard.

The second solution is to realise that physical security is very much a discipline that needs skilled, qualified and experienced professional staff for it to work. This comes at a price, but remember, if paying an unskilled, unqualified person to do physical security is not a saving – it is just a waste of money. You wouldn’t try to cut corners asking your sales manager to double as an accountant or legal advisor, so don’t do it with the security professionals. Facilities management is linked to physical security but it is not the same thing and there is no automatic assumption that someone good at one role is good at the other.

The last bullet point is where it gets interesting.

If you are moving to a new home, your business is building new premises or even just expanding, then you have the chance to get the best possible value from your physical security measures. Designing in security allows you to ensure that every control is suitable for your needs and implemented for as little cost as possible.

Sadly, this is a very rare situation.

It is more likely that you need to build security into an operating environment – be it a home built years ago, offices in constant use or a busy warehouse. Here you no longer have the option to specify what the walls will be made out of, or how high the windows will be from the floor, you simply have to implement physical security in the best possible manner.

The best way to do this is by using good physical security design.

This is not design in the way you might do it for a new site, where the physical security professional sits down with architectural drawings. Instead, it is using your experts to design a robust physical security program that fits your situation.

A well designed physical security plan will follow some common steps, similar to the normal quality assurance / continual improvement process models:

Identify the goals of the physical security plan. [Plan]

Design & implement the physical security system. [Do]

Evaluate and test the system. [Check]

Monitor and manage (and improve) the physical security system as part of your normal business. [Act]

It is a mistake to allow this process to turn into a box-ticking, check-list, exercise but for some stages having reference lists can help ensure that nothing gets overlooked and you can demonstrate due diligence to an external party.

An example of where a physical security check-list might help is during the planning stages when you need to carry out surveys of the site and determine what is already there and can be used. We have produced a physical security assessment form [available for free download] which can be used for this purpose or can form the basis of one developed for your own purposes.

At Halkyn Consulting we offer a wide range of physical security services, including design assessments for new build, risk management and physical security improvements. If you have your own security team, we are always happy to provide support, guidance and mentorship to help improve your security, protect your assets and reduce any losses. Get in touch to find out more.

]]>677Passwords are not bad, just dont trust vendorshttp://www.halkynconsulting.co.uk/a/2013/05/passwords-are-not-bad-just-dont-trust-vendors/
http://www.halkynconsulting.co.uk/a/2013/05/passwords-are-not-bad-just-dont-trust-vendors/#commentsThu, 16 May 2013 19:32:11 +0000http://www.halkynconsulting.co.uk/a/?p=634Passwords are in the news again, with yet another headline crying out for the death of the password and claiming that everyone should move to two factor authentication (2FA) for all their online activities. As with all these claims, it is worth looking at them in greater detail before we give up on of the […]

Passwords are in the news again, with yet another headline crying out for the death of the password and claiming that everyone should move to two factor authentication (2FA) for all their online activities. As with all these claims, it is worth looking at them in greater detail before we give up on of the single most cost effective methods for getting a certain level of assurance around someone’s identity.

Our [FIDO’s] intention is to really obliterate, within a certain number of years, both passwords and PINs and see the whole internet — including internally in enterprises — obliterate user IDs and passwords and PINs from the face of the planet.

This is interesting and may appear to be a worthy goal, but we strongly disagree.

Quick primer on passwords and how you should use them

What are passwords?

First off, as a bit of a quick background, Passwords are one type of “Single Factor Authentication” and, often combined with a User ID (name, number, email address, whatever), are used to authenticate a user to a service. Other types of single factor would be fingerprints, retina scans, smart cards and the like. When you combine these factors you get “Multi factor Authentication” and this is often what most people talk about for replacing passwords.

Single factor authentication gives a basic level of assurance that the person is who they say they are and, in situations where this is insufficient you should add additional layers but bear in mind that this increases cost, complexity and poor installations are often worse than no authentication.

Generally, the more importance you place on knowing “who” the person you are interacting with, the more factors you should use, but you must use them properly.

Keep this in mind: If you implement your authentication badly, it doesn’t matter how many factors you use.

Are passwords bad?

The simple answer is “No.” Passwords are not inherently bad and the use of passwords (or more properly an ID & Password) for authentication is perfectly reasonable for 99.999% of the situations where they are deployed. In our consulting work, we encounter more situations where people have used more factors than they need, then situations where they haven’t used enough.

Are some passwords bad?

Possibly. Various security & IT related websites will regularly announce how “password” or “123456” are the most common passwords (such in this article on the Register), often implying this is why passwords are inherently broken and how users cant be trusted to select stronger passwords.

It is certainly true that using “common” or easily guessed passwords is a bad idea, and it can significantly increase the ease with which a malicious party (hacker, spy, jealous co-worker, whatever) can compromise your password, but this is normally going to be a weakness about how the authentication is implemented, rather than the actual password itself.

A “bad” password is really one which can be broken by an attacker and while this is a simple statement, the practicality is a bit more involved. If you have a login screen which allows three attempts before lock out, it is unlikely that the malicious user is going to get to “Monkey” (number 6 on the list) before the account has locked – and if “monkey” is different from “Monkey” in the system then you can be reasonably sure it wont fail when attacked.

Another issue with bad passwords is that we often look at them the wrong way round. When you see a password written down as “zaq12wsx”, it can be easy to realise this is obvious from the left hand side of a UK keyboard but unless the attacker has this knowledge they need to cycle through billions of possible other combinations.

What makes a good password?

With passwords two things are important – length and complexity. More of either is good and more of both is better. A long password will be difficult enough to compromise that most attackers will give up – as an example, a 15 character password made from single case letters will take about 53,000 years to crack (source). If you make it complex (mix of upper and lower case, numbers and other keyboard characters) you can make it even harder.

Unfortunately, sometimes systems are badly designed and enforce shorter password sequences – this is where complexity becomes much more important and the use of random generators becomes worthwhile. Despite what you may think, humans are terrible at thinking up random passwords and even worse when it comes to recognising them.

Interestingly, once you move out of the most glaringly obvious passwords (e.g. “1234”) it doesn’t really matter if you use a random generator or not, as the attacker is still going to have to brute force the keyspace to work out what your password is. This means that to an attacker “easypwd1” is just as hard (or easy) to compromise as “t8yuas1e” -even though the first one looks like it should be trivial to crack.

Keep this in mind when you visit sites that offer to rate your password strength or when security professionals try to lecture you on how passwords are broken.

The important thing for a password is keyspace which is, as we said, driven by length and complexity, randomness is a distant second (third) in this unless your attacker has access to what ever process you use to invent your password.

Can you give us an example of good passwords?

Possibly, but remember that once they are printed on the internet, they are likely to end up in a dictionary list somewhere so, rather than search for a password you want to use, take the advice here and use it to construct your own.

Password Strength – xkcd.com

Good passwords are long and complex, but length is the most important so the oft-posted advice from XKCD.com works here.

Dont fixate on trying to come up with impossible to remember strings of what you think are random letters and numbers – cracking tools will easily bypass most things you can invent.

Instead, use sentences with spaces and relevant capital letters. If you must (company password policy rules etc. use symbols then you can add them or replace letters with them but remember to keep it long. As passwords go “This is my massively long password with little complexity” is harder to crack than “ExdYx4G53PmXSH” and you are only likely to remember one of them. Obviously if it is a service you have to authenticate to frequently, you might not want such a long password or you may need to improve your typing speed.

Should you write passwords down?

This may come as a shock but there is no automatic reason why you shouldn’t write your password down, but in a work environment you may have rules about what you can and can’t do.

It all boils down to what your threat assessment says – unfortunately when it comes to passwords, too many people fall into the trap of blindly following default rules no matter what the situation is.

For people who are responsible for developing password policy, ask yourself if your threat actors really do have the ability to read passwords written down on post-it notes next to your employees monitors. If your main threat is internet based script kiddies, then they are not going to find someone to come and work as a janitor in your offices so they can desk surf for passwords to your corporate facebook account. Seriously.

Every security decision you make must be based on a realistic threat and risk assessment otherwise it is pointless.

So, what is the problem with Passwords?

Passwords are far from perfect. If nothing else they are but a single factor of authentication and that implies there is only a certain amount of trust you can ever give them. Passwords also have a long history so people tend to take them for granted and feel that because so much else has changed, it must mean passwords are “old fashioned” now.

This is combined with lots of high profile cracks of various databases and regular news items about how a whole directory of passwords has been dumped on pastebin or similar sites.

Is it all bad?

No, far from it. Few, if any, corporate security breaches are the result of hackers directly compromising a user password (more on that in a bit). Unless you are a famous celebrity on twitter, the chances are no one is going to bother even trying to guess your password, let alone actually manage it.

So how do the hacks happen?

The overwhelming majority of hacks are the result of other techniques (such as SQL injection) which then allow the attackers to get a dump of the password file for offline attack. This is frequently what makes the news and is nothing at all to do with passwords being unfit for purpose.

There are still some instances where attackers can subvert a password implementation but, again, nearly every instance is actually the result of something being fundamentally wrong in how the passwords are used.

How do you implement passwords badly?

For the user, passwords should be easy. For the system owner / manager, passwords should also be easily implemented (they come built into pretty much every operating system in the world) but this is frequently where things go wrong.

If you have a system which requires user authentication, you need to make sure you implement it properly.

This means things like not allowing unlimited attempts, not sending passwords in plain text over the internet, not storing passwords in clear text and not allowing trivial bypasses of your authentication steps. All of these are easily avoidable, yet account for almost all the reasons why passwords (and user identities) fall into the hands of hackers.

None of this shows passwords themselves are a bad choice of single factor authentication, poor implementation will undermine any technology choice. If anything, poor implementation of other authentication methods (or multi-factor authentication) is going to be worse because it undermines a greater assumed trust.

So, why are passwords in the news all the time?

Normally, this happens when a product vendor decides to announce their new, all singing, all dancing smartcard, finger print reader or retinal scan device.

The recent Register article is a good example, FIDO is looking to produce an authentication device that they would like you to spend money purchasing and implementing so it is in their best interests to remind people about the “weaknesses” of passwords.

Unfortunately no device overcomes the fundamental problems with poor implementations, they just become expensive ways to create a device management nightmare.

Smartcard and fingerprint readers appear to be good, but at some stage your data has to be encrypted and sent to the server for authentication – if this is done badly, it opens a clear attack channel and gives the hacker a massively enhanced level of authentication on your network.

Devices (smartcards, scanners etc. have to be managed so you can trust what is coming in from the other end. If a hacker has your device they can spend months working out how it encodes authentication data and then use this to attack you. Token devices that get lost have to be withdrawn and replaced. You even have to consider how the user authenticates to their device in the first place.

All of this creates a huge headache and is off putting for most (non-governmental) organisations, so it is understandable that there is a commercial need to play down the utility of passwords as a single authentication factor and if they can make customers scared of anyone who doesn’t use multi-factor authentication, all the better.

But, do you really want a product vendor to do your risk assessment for you? Should you listen to the vendor when they tell you what is, or isn’t, good for your network? I would suggest not, but you might have more money than you know what to do with.

The bottom line is security must always be driven by a threat based risk assessment and you should never, ever, trust a product vendor to do this on your behalf.

]]>http://www.halkynconsulting.co.uk/a/2013/05/passwords-are-not-bad-just-dont-trust-vendors/feed/2634Security awareness training – value or not?http://www.halkynconsulting.co.uk/a/2013/04/security-awareness-training-value-or-not/
Sun, 21 Apr 2013 16:15:52 +0000http://www.halkynconsulting.co.uk/a/?p=606Last month (27 March), the security and cryptography expert Bruce Schneier posted an article on his blog about Security Awareness Training. Now, it should go without saying that Bruce Schneier is one of the leading lights in the IT Security world, he has written several very informative books which would always top our suggestions for […]

Last month (27 March), the security and cryptography expert Bruce Schneier posted an article on his blog about Security Awareness Training. Now, it should go without saying that Bruce Schneier is one of the leading lights in the IT Security world, he has written several very informative books which would always top our suggestions for recommended reading lists and, most of the time, what he says about security is completely spot on.

However, this time it seems he has made a significant mistake and it is largely driven by his focus on the IT part of information security.

In the article, Bruce writes:

I personally believe that training users in security is generally a waste of time, and that the money can be spent better elsewhere. Moreover, I believe that our industry’s focus on training serves to obscure greater failings in security design.

The two statements here aren’t really as linked as Bruce makes out.

It is almost certainly true that a lot of security training is worthless and driven simply by external compliance requirements and it is true that focus on training can be used to avoid having to implement good security practices, but once we move away from a very narrow sphere of security, for all practical purposes this breaks down.

The result of this is that security awareness training is currently one of the most cost effective methods of improving your security.

It should always be the primary goal of any security implementation to ensure that security exists even if the end user is clueless, but unfortunately user activity is almost always required to support and supplement the built in security controls and this is where security awareness training becomes paramount.

Bruce address his main concerns to those who think security awareness training is good (which is why it seems appropriate to address it in a post here), saying: [Emphasis added]

To those who think that training users in security is a good idea, I want to ask: “Have you ever met an actual user?” They’re not experts, and we can’t expect them to become experts. The threats change constantly, the likelihood of failure is low, and there is enough complexity that it’s hard for people to understand how to connect their behavior to eventual outcomes. So they turn to folk remedies that, while simple, don’t really address the threats.

The problem seems to be less driven by the value of “security awareness training” but more by what Bruce expects the outcome of this training to be.

No one in their right mind expects a security awareness training program to turn people into security experts. No one. This is a strawman which undermines what the real value of security awareness training actually is – and that is employees who are more alert about security risks and more able to help you protect your business, its assets and themselves from a variety of threats.

Security awareness training does not replace the need to have a competent, skilled, motivated and professional security team. It does not remove the need to have properly implemented security controls. It doesn’t mean you can blame your employees for every breach. It doesn’t even mean that you can sit back and assume you will never experience a security breach.

Security awareness training does mean, however, that you have taken the proper steps to help ensure your employees are part of your overall security posture.

Security is about much more than protecting IT assets, it is about much more than ensuring your employees don’t click on dodgy facebook links and it is about much more than making sure they aren’t careless with their account credentials.

If your awareness program only looks at this, or if your awareness program is trying to create IT Security experts in one session a year, then you are getting it wrong. You are missing a major point with how to best use the time and how to best engage your employees into your security process.

Good Security Awareness Training

Your security awareness training needs to be driving three main themes to your employees:

Why security is important to your business. You need to make your employees understand their responsibilities and how their actions are important to the bottom line (their jobs).

How security is implemented in your business. What alarms do you have? What are the rules for lone workers? Where are phones allowed? Are employee owned devices allowed etc. This is the meat of the training and is how you make your employees aware of the security around them. (It is awareness training after all)

What do your employees have to do. Once they know the why and how, it is time to explain to your employees what is expected of them when they are going about their business: How do they summon help? How do they report a breach? What is the process for locking the office at night? How do they get access outside normal working hours? and so on.

None of this will turn them into experts, but equally it is far from a waste of your resources. Failing to provide security training means – in the current world at least – that you will spend more on security controls and / or suffer more security breaches.

Security training – do’s and don’t’s

As Bruce Schneier says, it would be great if we could engineer out the need for your employees to play a part but the reality is that the spectrum of security risks is so wide, so complicated and so changeable, that this is unlikely to ever happen.

Don’t fixate on the computer user part of your security, don’t believe that security awareness training is wasted but also don’t think of it as a magic bullet.

Do provide good quality, appropriate and effective security awareness training for your employees.

]]>606Unexpected Weather? Check your business continuity plan!http://www.halkynconsulting.co.uk/a/2013/03/unexpected-weather-check-your-business-continuity-plan/
http://www.halkynconsulting.co.uk/a/2013/03/unexpected-weather-check-your-business-continuity-plan/#commentsFri, 22 Mar 2013 23:48:25 +0000http://www.halkynconsulting.co.uk/a/?p=596By now, it should be no surprise to anyone that the UK is in the grip of some very bad weather that was largely unexpected. News reports today have talked about this being the “worst” March weather for over 30 years with many road and rail links closed due to snowfall. Additionally, large numbers of […]

By now, it should be no surprise to anyone that the UK is in the grip of some very bad weather that was largely unexpected. News reports today have talked about this being the “worst” March weather for over 30 years with many road and rail links closed due to snowfall. Additionally, large numbers of schools have closed, power has been out for several locations (as reported by the BBC News) and airports are struggling to keep runways open.

The weather today will have disrupted thousands, and it looks likely to continue into the weekend, making it hard for employees to get to work, for supplied and stock to move around and even where stock is available, it is hard for customers to get to shops to buy things.

This is where your business continuity (BC) plans need to start working.

Every organisation has unique circumstances, so this post isn’t about specifics, but instead it is a reminder that you not only need a BC plan, but you need to make sure it works and it covers the relevant, important, events you are likely to face.

Try to consider a wide range of weather scenarios.

One organisation we have been working with was fortunate enough to have very recently implemented a BC plan which provided flexibility for their office-staff to work remotely and a VoIP communications system to keep every one in touch.

This morning, it was implemented – not because of an incident at the main office site, but because most of the workforce were either stuck and unable to get in (or would face very long journey times) or had children in schools that had closed and now had to stay at home to supervise them.

While none of this was explicitly identified as a trigger item in the BC plans, the plans were flexible enough to allow key decision makers to realise that disruption was happening and take appropriate measures. Thanks to very good planning combined with sensible testing, the BC plan worked pretty much without a hitch and the organisation experienced no loss of productivity today – despite nearly 75% of the workforce being impacted by the weather.

If they had failed to implement the BC plan, it is estimated they would have suffered a loss of productivity which would have cost the organisation over £75,000 through direct and indirect costs. This alone makes the BC plan worth its weight in gold.

From this, there are some lessons that every organisation should take on board:

First and foremost, have business continuity plans. Something is better than nothing and dont expect to plan every minute detail. If you do nothing else as a result of this weather, make sure you have a BC plan.

Make your plans flexible enough that your key decision makers can identify a BC situation before it gets out of control and take appropriate measures.

Your BC plans need to identify what is really important for your business and should enable you continue this.

Dont just plan for a problem at your location. Look at where your employees travel from and think about what would happen if there is disruption there. Try to consider additional complications, such as what your remote workers should do if they lose power.

Test, test and test again. BC plans are a great first step, but you never want the first time you test them to be when you are facing an emergency. Test your plans in small chunks, in table top scenarios or do full blown, full plan tests. Just make sure you test.

Business continuity plans are often an afterthought, even though they can be the difference between your livelihood continuing through unexpected situations and bankruptcy. This is a mistake and every organisation should dedicate time and effort to ensure they can cope with the unexpected.

Remember, if you want your business to continue, you need a business continuity plan.

]]>http://www.halkynconsulting.co.uk/a/2013/03/unexpected-weather-check-your-business-continuity-plan/feed/1596Pre-employment Security Screening – Reducing the workforce riskhttp://www.halkynconsulting.co.uk/a/2013/02/pre-employment-security-screening-reducing-the-workforce-risk/
http://www.halkynconsulting.co.uk/a/2013/02/pre-employment-security-screening-reducing-the-workforce-risk/#commentsWed, 27 Feb 2013 19:34:20 +0000http://www.halkynconsulting.co.uk/a/?p=585It can be hard for a business to bring in new workers. The trusted insider poses a unique threat to any organisation – not only can the insider do you considerable harm but, for your business to function, you have to be able to trust your employees and let them get on with their job. […]

It can be hard for a business to bring in new workers. The trusted insider poses a unique threat to any organisation – not only can the insider do you considerable harm but, for your business to function, you have to be able to trust your employees and let them get on with their job.

If this wasnt bad enough there are also risks to you, and your organisation, driven by Government legislation – in the UK you face a fine of £10,000 or 2 years in jail per worker if you hire illegal migrants – and the reputational harm that can arise from hiring the wrong person.

One of the more effective ways you can manage this risk, is to have a well thought out pre-employment screening program. To assist with this, we have put together a slidedeck covering the key points you should be looking at:

As with all security risks, it is impossible to completely eliminate the threat, but if you have a well planned (and properly documented) recruitment process that covers this screening, you are able to use a statutory defence (in the UK at least) against any fine or penalty from the UK Border Agency. This alone makes it well worth the effort for any employees you hire.

There are additional hidden pitfalls – such a making sure you screen all employees rather than ones you believe more likely to be illegal migrants based on ethnicity, and making sure you repeat document checks on a regular basis to ensure work permits havent expired – so this is an area you should devote a lot of effort to make sure you get it right.

If you want more help and advice in putting together a HR / Pre-employment screening process then please get in touch.

]]>564Another lack of encryption leads to a Data Protection Act Finehttp://www.halkynconsulting.co.uk/a/2013/02/another-lack-of-encryption-leads-to-a-data-protection-act-fine/
Sun, 17 Feb 2013 19:52:56 +0000http://www.halkynconsulting.co.uk/a/?p=551On Friday, 15 Feb 13, the Information Commissioner’s Office (ICO) announced that the UK Nursing and Midwifery Council (NMC) had been fined £150,000 for a breach of the data protection act. (It is worth bearing in mind that the NMC has recently raised the registration fees for Nurses to £100 per year) It seems that […]

On Friday, 15 Feb 13, the Information Commissioner’s Office (ICO) announced that the UK Nursing and Midwifery Council (NMC) had been fined £150,000 for a breach of the data protection act. (It is worth bearing in mind that the NMC has recently raised the registration fees for Nurses to £100 per year)

It seems that this fine is the result of the NMC sending evidence for a disciplinary hearing by post. The following is from the ICO press release:

The council lost three DVDs related to a nurse’s misconduct hearing, which contained confidential personal information and evidence from two vulnerable children. An ICO investigation found the information was not encrypted.

and David Smith, Deputy Commissioner and Director of Data Protection added:

The Nursing and Midwifery Council’s underlying failure to ensure these discs were encrypted placed sensitive personal information at unnecessary risk. No policy appeared to exist on how the discs should be handled, and so no thought was given as to whether they should be encrypted before being couriered. Had that simple step been taken, the information would have remained secure and we would not have had to issue this penalty.

This pretty much explains the fundamental mistake here.

For the want of a policy document and free or low-cost encryption software, the Nursing and Midwifery Council has been fined £150,000. That is close to one hundred times the cost of doing things properly – even if the creation of the policy documents had been fully outsourced.

This is a fundamental failure of security risk management and a sign that, worryingly, an organisation with access to evidence, sensitive personal data and financial records doesn’t have a robust enough security management approach to realise the risks it is taking with information.

Based on the information in the ICO statement it appears there are some lessons that can be learned from the NMC fine:

Sending documents by courier is not a problem and is often the best mechanism where there is a lot of data (potentially over 14gb of data in this instance), but you need to have a policy governing this in place.

Any sensitive data should be encrypted – be it on USB, DVD or over the internet. Encryption is cheap (free) and easy to use.

Asset registers and document control registers are essential. In this case, it seems likely that the disks were mislaid prior to shipping but there doesn’t appear to be any record of what was given to the courier or where items were stored. This is very poor practice, especially in light of the fact it was to be used as evidence for a disciplinary hearing.

Security risk management is not optional. Without it (or if it is malfunctioning) your organisation faces massive costs and, as always, ignorance is never a defence.

The important point, and it can never be stated enough, you need to have a well thought out, well managed and well resourced (staff and budget) approach to security otherwise you will suffer a data loss. The costs of a security breach frequently significantly outweigh the costs of prevention.

If you, or your organisation, handles sensitive data (personal or not) then you absolutely need to make sure that you know where all your assets are held (asset register), that you have some process for tracking how & where you send assets (issue and receipt logs), and that you have a security policy explaining how all this works.

Anything else is such poor risk management you need to make sure you have some funds put to one side to cover the inevitable breaches. (If you work for the NMC and want help on how to implement this then get in touch, we can offer a special rate…)

]]>551Office security checklist – Updatedhttp://www.halkynconsulting.co.uk/a/2013/02/office-security-checklist-updated/
Mon, 11 Feb 2013 10:00:00 +0000http://www.halkynconsulting.co.uk/a/?p=545As part of our ongoing drive towards improving your security, We have updated our office security checklist to make it easier to use and clearer to follow. The 2013 version of the security checklist is now available to download. The idea behind the document remains the same: this is something you can print off and […]

]]>54553.238584 -3.19469253.238584-3.194692Mandatory Reporting of Data Security Breacheshttp://www.halkynconsulting.co.uk/a/2013/02/mandatory-reporting-of-data-security-breaches/
Sat, 09 Feb 2013 23:54:33 +0000http://www.halkynconsulting.co.uk/a/?p=527It has been announced that the European Commission, together with the High Representative of the Union for Foreign Affairs and Security Policy, is looking to bring in mandatory reporting of information security breaches, at least within some industry sectors. In an interesting press release titled “EU Cybersecurity plan to protect open internet and online freedom […]

Mandatory security breach reporting – good thing, or just more paperwork?

It has been announced that the European Commission, together with the High Representative of the Union for Foreign Affairs and Security Policy, is looking to bring in mandatory reporting of information security breaches, at least within some industry sectors.

In most (admittedly not all) state run organisations (for example, City Councils & the NHS in the UK) there are already mandatory reporting requirements but it is has frequently been claimed across Europe that private companies are able to hush up data security breaches. This has cast doubt on security studies (such as the Ponemon data breach report) as it is never been clear if everything is being captured.

Creating a mandatory reporting requirement for such a broad spread of service providers seems to be an effective way to level the playing field, as long as it is properly enforced. Any public company has to weigh up competing interests before reporting a data breach and it seems likely that this is going to be just another factor to be considered. (For example, if the fine for not reporting is £10,000 but the likely loss in profit from the public reaction is £100,000, lots of companies will opt to not report).

There is another hurdle that will need to be ironed out by the EU – and that is what constitutes a “major” security incident. There is no clearly agreed definition of this and I suspect entire books could be written on the subject.

However, if the EU can get over these obstacles, then this could actually be a very good move – even if companies try to resist it initially:

The pain of reporting a data breach creates an incentive to provide better security driven by sound risk management strategies.

As companies report security breaches, we will get better quality intelligence on what drives the breaches and how much impact they have.

The more security breaches that are reported, the greater pressure there is for police forces (national or international) to become involved and punish offenders – at the moment, hackers are only prosecuted in exceptional circumstances and often private companies are forced to utilise their own resources post-breach.

Time will tell if the EU actually implements this reporting requirement, but in the meantime, good practice would be to make sure that you have the following mechanisms in place (if you do, the EU requirements are likely to be painless):

A well run, well documented risk management process across your organisation.

A well documented and properly implemented security management system.

Robust network monitoring and incident detection systems.

Sound incident management processes.

Good, timely, reporting chains.

This is good practice with or without regulations, so you really should be doing it now!

]]>527Do you value your security?http://www.halkynconsulting.co.uk/a/2013/01/do-you-value-your-security/
Mon, 14 Jan 2013 19:54:03 +0000http://www.halkynconsulting.co.uk/a/?p=513We are in a new year now, the end of the world never materialised and everyone will be back at work, getting ready to push on their new years resolutions – even the ones doomed to failure. Unfortunately, lots of the mistakes that were made last year will be repeated and it likely that during […]

]]>We are in a new year now, the end of the world never materialised and everyone will be back at work, getting ready to push on their new years resolutions – even the ones doomed to failure.

Everyone says security is important but what matters is do you put your money where your mouth is?

Unfortunately, lots of the mistakes that were made last year will be repeated and it likely that during the next 12 months we will still see news items about hackers accessing sensitive data and the Information Commissioner fining yet another Government department for a DPA violation. The private sector will suffer undisclosed breaches and the retail and transport industries will suffer loss and “wastage” as people pilfer goods rather than pay for them.

What this seems to show is that despite almost every CEO, MD, CIO, CTO, CISO etc., talking about how important security is, when it comes down to it, they aren’t prepared to put their words into action.

Already this year, we have worked with two organisations – both in the small-medium enterprise sector although one has stock locations across the country – who have demonstrated how this causes a problem between words and action. Both of these clients suffered financial losses in 2012 as the direct result of security incidents and, quite rightly, had decided to take action to prevent this continuing.

The larger of the two organisations, with several locations, suffered from a variety of security issues that have gone unchecked for a couple of years to the point at which they were causing financial pain. It was estimated that they had endured a direct loss (from theft, employee theft and vandalism) of £750,000 in 2012 (with similar amounts each year since at least 2009) and the marketing assumption was that where this was public knowledge, it had tarnished the reputation and cost around £500,000 in additional revenue.

We were engaged by the Head of Security and two of our consultants spent a week visiting the locations, assessing the existing controls and determining what had led to the incidents described. On completion of our engagement, we provided the organisation with a detailed report of what controls should be implemented to reduce the loss. In end, we identified controls costing around £200,000 to implement (it varied by site) which would have reduced the 2011 loss from £750,000 to around £250,000. The marketing team agreed that these controls would also address the negative publicity and may lead to additional sales, but this is not something we would normally include in our estimates.

Armed with this information, the Head of Security presented to the board how an investment of £200,000 during 2013, would save the organisation £500,000 and drive new sales into new sectors. This is a board that, in previous years, have made several statements about how they “believe in driving good security” and similar promises. However, when presented with this clear opportunity to live up to it’s claims, the board changed its mind and refused the funding. Following some frantic negotiation, the Head of Security eventually got a budget of £15,000 for security improvements at two locations which, if implemented last year would have prevented about £20,000 of the loss.

In this instance, it appears that the problem with the organisation is how the budgets are structured. The board viewed the security improvement, not as an investment that would increase overall profits more than not spending it, but instead as a centralised cost while the losses, were distributed across various segments of the organisation – each location and business function had their own reporting chains.

The problem is that no one segment of the organisation was losing enough to justify spending on additional security while the overall losses were causing pressure on the board to reduce expenditure.

Although nothing in security is certain, the loss trend for this organisation indicates that they will continue to lose around three quarters of a million pounds each year because the board has allowed the organisation’s structure to become so convoluted it is incapable of protecting itself.

Bad security costs more than good security. Diluting the harm creates a major risk for your organisation.

The smaller organisation – with only four locations in a reasonably compact geographical area – presented a good counterpoint.

We were engaged by the owner of the company to help following a break in to one location which had resulted in the loss of about £15,000 worth of assets. The owner was concerned that this may happen again and at the other company locations. The owner also identified other incidents over the last couple of years where vandalism and petty theft had led to extra costs for the business and we worked closely with the local Police force crime prevention team to determine what the crime trends were like.

Following our assessment, we identified security improvements that would cost the owner around £20,000 to implement but would be effective in preventing the burglary they had already experienced and significantly reduce the smaller scale crime. Additionally, the additional controls would mitigate against several risks to assets with a total value to the company of £250,000.

Even though this would cost more than the single high-loss event they had experienced, the owner realised that this was a cost across four locations and would be effective for several years. As a result of this, the business owner has decided that it makes good sense to invest in the security and drive down their risks.

By being able to see the big picture risks, and being the person who felt the pain of the security losses, the owner of this company was in a much better place to drive forward and implement good security practice.

When a business grows, it makes sense to bring in more layers of administration and organisation but as the first example shows, it is a major failing of corporate risk management if these layers begin to hide risks and dilute the opportunities you have to mitigate threats.

This New Year, why don’t you make a resolution to blow out the cobwebs of your corporate risk strategies and look at how your administrative and reporting chains work? Do you dilute the threats your business faces to the point at which you can no longer determine what controls are cost effective? Do you have a centralised risk management strategy which allows your key decision makers to see where risks are growing? Are you able to be proactive at driving down risks and security threats?

If not, this is the time to make change happen.

If you want more advice on this, or would like to simply discuss some of the topics raised, then please get in touch with Halkyn Security or start a discussion in the comments here.

]]>513Happy New Year – and new site designhttp://www.halkynconsulting.co.uk/a/2013/01/happy-new-year-and-new-site-design/
Tue, 08 Jan 2013 22:11:41 +0000http://www.halkynconsulting.co.uk/a/?p=509The new year seemed an ideal time to overhaul the site, so we have brought in a new look and feel which should be more responsive for visitors on mobile platforms such as smartphones and tablets. As always, if you experience any problems with the site, please drop us a line and we will try […]

]]>509Seasonal Shutdownhttp://www.halkynconsulting.co.uk/a/2012/12/seasonal-shutdown/
Mon, 17 Dec 2012 23:03:42 +0000http://www.halkynconsulting.co.uk/a/?p=504After a very successful year, Halkyn Consulting will be taking a well earned break over the Christmas period this year. We will be closed to new clients between 22 December 2012 and 6 January 2013, although we will continue to provide our agreed services to existing clients over this period. Thank you for your support […]

]]>504Cash in Transit – Still a security riskhttp://www.halkynconsulting.co.uk/a/2012/12/cash-in-transit-still-a-security-risk/
Wed, 05 Dec 2012 21:05:18 +0000http://www.halkynconsulting.co.uk/a/?p=499In the news today there was a report about a cash delivery being attacked in Brentwood, London, which involved three masked attackers stunning the security guard with a Taser and trying to get access to the cash being delivered. (As reported here) Robberies like this have been quite rare recently, down to a combination of […]

]]>In the news today there was a report about a cash delivery being attacked in Brentwood, London, which involved three masked attackers stunning the security guard with a Taser and trying to get access to the cash being delivered. (As reported here)

Robberies like this have been quite rare recently, down to a combination of improved security processes and police clampdowns – but this incident does act as a reminder that there are still lots of criminals who are willing to go to very extreme lengths to get their hands on the assets and valuables of your business.

It is also worth bearing in mind the fact that these are often low-value cash transactions with robberies rarely taking more than £2000 – 3000 in any one attack. The majority of the harm comes from injury to staff, intimidation of employees and customers and reputational damage to the parties involved. As mentioned recently, we have put together a guide document which can help you assess the risks from robbery and burglary as well as steer you in the right direction for reducing these risks. You can download the Business Security Guide for free.

On a very timely related note, yesterday I was shopping in a chain store while a security company carried out the replenishment of the on-site cashpoint (ATM). The nature of the machine indicates that this is likely to be a significantly larger sum of money than would be delivered to a shop (as per the news item) so you would expect that proper security processes would be employed by both the store (ultimate owner of the risk) and security company managing the delivery.

Unfortunately this was very much not the case.

While I don’t want to name either the chain of shops, or the security company, there were some very fundamental security errors taking place during the delivery.

Both guards appeared to be unaware of any potential threats and had obviously assumed that this was a “safe” delivery. Neither were wearing protective helmets, the delivery vehicle was left unattended with the door ajar and the engine running. During the loading of the cashpoint neither guard was paying attention to their surroundings and they were very slow and relaxed putting the cash in. Equally interestingly, the security van was parked outside the coverage of the store’s CCTV and there appeared to be no store employees engaged with (or even acknowledging the existence of) the security guards.

Now the reality is that this was a fairly low crime area and I don’t know if this their regular behaviour when delivering cash, but this certainly presented an opportunity for further exploitation by anyone with criminal intent. It would be fairly trivial to ascertain from the shop employees how often the deliveries came (I managed to gather this information) to allow for an attack to be planned.

This wouldn’t even need to be a long planned operation. Should criminals wish to rob the delivery, all they need to do is be in the area (lots of parking around the store) ready to go and when the delivery comes, if the drivers don’t have helmets on an attack can be mounted there and then rather waiting for a third delivery day.

The take away lessons here are that it is critically important that your external-facing security processes and procedures are sound. You never know who is watching and one weakness in your security chain can lead to quickly planned attacks that can be devastatingly harmful.

Always keep in mind who owns the risks, who is going to suffer the harm – this is a good indicator of who needs to take responsibility. In this case it was split between the shop and the security firm, but the shop appeared to have no interest in its side of the problem.

Never assume that because you have outsourced work to a 3rd party that it will be done properly or that it will immunise you from any fall out. It is rare for either to be correct, let alone both, and never without proper management.

]]>499ICO fines text spammers nearly £500,000http://www.halkynconsulting.co.uk/a/2012/12/ico-fines-text-spammers-nearly-500000/
Sun, 02 Dec 2012 23:11:29 +0000http://www.halkynconsulting.co.uk/a/?p=494Last week the ICO reported that the directors of a company heavily engaged in spam texting (sending unsolicited commercial messages to people via their mobile / cellular phone) have been fined significant sums of money – this is the first action from the ICO using new powers granted in January 2012. This was an investigation […]

]]>Last week the ICO reported that the directors of a company heavily engaged in spam texting (sending unsolicited commercial messages to people via their mobile / cellular phone) have been fined significant sums of money – this is the first action from the ICO using new powers granted in January 2012.

This was an investigation under the Privacy and Electronic Communications Regulations (PECR) into a company called Tetrus Telecoms, jointly owned by Christopher Niebel and Gary McNeish, who were sending out as many as 840,000 illegal text messages every day.

According to the ICO’s press release, the text messages were the injury and loan compensation messages that people have become accustomed to and the idea is that people who replied – either asking for more information or simply trying to stop the messages – verified the fact that their number was live and owned by a human. Tetrus Telecoms then sold these details on to other companies for around £5 per person. The ICO has claimed that this was netting them in the region of £7000 – £8000 per day.

The main lesson for people is clearly stated by the ICO: (emphasis ours)

Our message to the public is that if you don’t know who sent you a text message then do not respond, otherwise your details may be used to generate profits for these unscrupulous individuals. Together we can put an end to this unlawful industry that continues to plague our daily lives.

Responding in any way, even with the “stop” or “end” messages they claim will put a stop to the texts is a big mistake. It wont stop the messages (you will get more) and it makes your number a valuable commodity to the spammers.

Unfortunately no amount of fines from the ICO are going to put a stop to this sort of activity – even with the massive £440,000 worth of fines here, the company is likely to have made more than twice that from the sale of numbers. Until the ICO is able to push for custodial sentences for spammers (or at least much larger fines), the only way to stop this is for everyone to ignore the spam texts.

There is a secondary effect – the ICO is looking to begin investigating the companies which have bought these details.

It is important that any company that has bought data from Tetrus or Niebel or McNeish in the past, now carefully checks that the proper customer consents have been obtained and that they are acting within the law. We are working with the Ministry of Justice to consider whether further enforcement action should be taken against any of these associated companies, including the cancellation of their authorisation to operate.

The profits that Tetrus have made have come from companies who are themselves breaking the law and it seems likely that eventually the ICO will come knocking.

If you, or your company, has paid a third party to provide you with marketing details, contact information or even “leads” then you really need to make sure you have a robust, and audited, governance system in place.

It is your responsibility to ensure that the third party you have bought the data from is acting within the law and that you are not holding & processing unlawfully collected information.

So the points to consider are:

If you aren’t doing this, you have opened yourself up to the risk of significant monetary penalties and reputational damage.

If you don’t know if you are doing this or not, then you need to address your governance as a matter of urgency.

It is critically important that you carry out proper due diligence on all your providers – be it products, raw materials or marketing data. If you fail to do this, you will suffer the consequences eventually so make sure you have a large set of funds allocated to the remediation action.

If you want assistance in reviewing, building or improving your governance processes across all domains (security, supplier, supply chain etc.), then get in touch and we would be happy to discuss this further.